key management interoperability protocol
TRANSCRIPT
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 1 of 176
Key Management Interoperability Protocol Specification Version 1.0 Committee Draft 1006 / Public Review 0201
18 March 2010
09 November 2009 Specification URIs: This Version:
http://docs.oasis-open.org/kmip/spec/v1.0/cd10cd06/kmip-spec-1.0-cd-1006.html http://docs.oasis-open.org/kmip/spec/v1.0/cd10cd06/kmip-spec-1.0-cd-1006.doc (Authoritative) http://docs.oasis-open.org/kmip/spec/v1.0/cd10cd06/kmip-spec-1.0-cd-1006.pdf Previous Version: http://docs.oasis-open.org/kmip/spec/v1.0/cd06/kmip-spec-1.0-cd-06.html http://docs.oasis-open.org/kmip/spec/v1.0/cd06/kmip-spec-1.0-cd-06.doc http://docs.oasis-open.org/kmip/spec/v1.0/cd06/kmip-spec-1.0-cd-06.pdf
Latest Version: http://docs.oasis-open.org/kmip/spec/v1.0/kmip-spec-1.0.html http://docs.oasis-open.org/kmip/spec/v1.0/kmip-spec-1.0.doc http://docs.oasis-open.org/kmip/spec/v1.0/kmip-spec-1.0.pdf
Technical Committee: OASIS Key Management Interoperability Protocol (KMIP) TC
Chair(s): Robert Griffin, EMC Corporation <[email protected]> Subhash Sankuratripati, NetApp <[email protected]>
Editor(s): Robert Haas, IBM <[email protected]> Indra Fitzgerald, HP <[email protected]>
Related work: This specification replaces or supersedes:
• None This specification is related to:
• Key Management Interoperability Protocol Profiles Version 1.0, Key Management Interoperability Protocol Profiles Version 1.0http://docs.oasis-open.org/kmip/profiles/v1.0/
• Key Management Interoperability Protocol Use Cases Version 1.0, Key Management Interoperability Protocol Use Cases Version 1.0http://docs.oasis-open.org/kmip/usecases/v1.0/
• Key Management Interoperability Protocol Usage Guide Version 1.0, Key Management Interoperability Protocol Usage Guide Version 1.0http://docs.oasis-open.org/kmip/ug/v1.0/
Style Definition: AppendixHeading2: Tabstops: Not at 40.3 pt
Style Definition: Heading 2,H2,h2,Level 2Topic Heading: Tab stops: 40.3 pt, Left + Notat 0 pt
Field Code Changed
Field Code Changed
Field Code Changed
Formatted: Title page info description, None,Don't adjust space between Latin and Asian text
Formatted: Hyperlink
Field Code Changed
Field Code Changed
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 2 of 176
Declared XML Namespace(s): None
Abstract: This document is intended for developers and architects who wish to design systems and applications that interoperate using the Key Management Interoperability Protocol specification.
Status: This document was last revised or approved by the Key Management Interoperability Protocol TC on the above date. The level of approval is also listed above. Check the “Latest Version” or “Latest Approved Version” location noted above for possible later revisions of this document. Technical Committee members should send comments on this specification to the Technical Committee’s email list. Others should send comments to the Technical Committee by using the “Send A Comment” button on the Technical Committee’s web page at http://www.oasis-open.org/committees/kmip/. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Technical Committee web page (http://www.oasis-open.org/committees/kmip/ipr.php).. The non-normative errata page for this specification is located at http://www.oasis-open.org/committees/kmip/.
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 3 of 176
Notices Copyright © OASIS® 20102009. All Rights Reserved. All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so. OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims. The names "OASIS", “KMIP”[insert specific trademarked names and abbreviations here] are trademarks of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see http://www.oasis-open.org/who/trademark.php for above guidance.
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 4 of 176
Table of Contents 1 Introduction .............................................................................................................................................. 12
1.1 Terminology ............................................................................................................................... 12 1.2 Normative References ............................................................................................................... 15 1.3 Non-normative References ........................................................................................................ 18
2 Objects ............................................................................................................................................... 19 2.1 Base Objects ............................................................................................................................. 19
2.1.1 Attribute ................................................................................................................................. 19 2.1.2 Credential .............................................................................................................................. 20 2.1.3 Key Block ............................................................................................................................... 20 2.1.4 Key Value .............................................................................................................................. 21 2.1.5 Key Wrapping Data ............................................................................................................... 22 2.1.6 Key Wrapping Specification .................................................................................................. 23 2.1.7 Transparent Key Structures .................................................................................................. 24 2.1.8 Template-Attribute Structures ............................................................................................... 29
2.2 Managed Objects ....................................................................................................................... 30 2.2.1 Certificate .............................................................................................................................. 30 2.2.2 Symmetric Key ...................................................................................................................... 30 2.2.3 Public Key .............................................................................................................................. 30 2.2.4 Private Key ............................................................................................................................ 31 2.2.5 Split Key ................................................................................................................................ 31 2.2.6 Template ................................................................................................................................ 32 2.2.7 Secret Data ............................................................................................................................ 33 2.2.8 Opaque Object ...................................................................................................................... 33
3 Attributes ............................................................................................................................................ 35 3.1 Unique Identifier ......................................................................................................................... 36 3.2 Name ......................................................................................................................................... 37 3.3 Object Type................................................................................................................................ 37 3.4 Cryptographic Algorithm ............................................................................................................ 38 3.5 Cryptographic Length ................................................................................................................ 38 3.6 Cryptographic Parameters ......................................................................................................... 39 3.7 Cryptographic Domain Parameters ........................................................................................... 41 3.8 Certificate Type .......................................................................................................................... 41 3.9 Certificate Identifier .................................................................................................................... 42 3.10 Certificate Subject ...................................................................................................................... 42 3.11 Certificate Issuer ........................................................................................................................ 43 3.12 Digest ......................................................................................................................................... 44 3.13 Operation Policy Name .............................................................................................................. 45
3.13.1 Operations outside of operation policy control .................................................................. 46 3.13.2 Default Operation Policy ................................................................................................... 46
3.14 Cryptographic Usage Mask ....................................................................................................... 48 3.15 Lease Time ................................................................................................................................ 50 3.16 Usage Limits .............................................................................................................................. 50 3.17 State ........................................................................................................................................... 52
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 5 of 176
3.18 Initial Date .................................................................................................................................. 54 3.19 Activation Date ........................................................................................................................... 55 3.20 Process Start Date ..................................................................................................................... 55 3.21 Protect Stop Date ...................................................................................................................... 56 3.22 Deactivation Date ...................................................................................................................... 57 3.23 Destroy Date .............................................................................................................................. 57 3.24 Compromise Occurrence Date .................................................................................................. 58 3.25 Compromise Date ...................................................................................................................... 58 3.26 Revocation Reason ................................................................................................................... 59 3.27 Archive Date .............................................................................................................................. 59 3.28 Object Group ............................................................................................................................. 60 3.29 Link ............................................................................................................................................ 60 3.30 Application Specific Information ................................................................................................ 62 3.31 Contact Information ................................................................................................................... 62 3.32 Last Change Date ...................................................................................................................... 63 3.33 Custom Attribute ........................................................................................................................ 63
4 Client-to-Server Operations ................................................................................................................ 65 4.1 Create ........................................................................................................................................ 65 4.2 Create Key Pair ......................................................................................................................... 66 4.3 Register ...................................................................................................................................... 68 4.4 Re-key ........................................................................................................................................ 69 4.5 Derive Key ................................................................................................................................. 71 4.6 Certify ......................................................................................................................................... 74 4.7 Re-certify .................................................................................................................................... 75 4.8 Locate ........................................................................................................................................ 77 4.9 Check ......................................................................................................................................... 78 4.10 Get ............................................................................................................................................. 80 4.11 Get Attributes ............................................................................................................................. 81 1.1 Get Attribute List ............................................................................................................................... 82 4.12 Get Attribute List ........................................................................................................................ 82 4.13 Add Attribute .............................................................................................................................. 83 4.14 Modify Attribute .......................................................................................................................... 83 4.15 Delete Attribute .......................................................................................................................... 84 4.16 Obtain Lease ............................................................................................................................. 84 4.17 Get Usage Allocation ................................................................................................................. 85 1.2 Activate ............................................................................................................................................. 86 4.18 Activate ...................................................................................................................................... 86 4.19 Revoke ....................................................................................................................................... 87 1.3 Destroy .............................................................................................................................................. 87 4.20 Destroy ....................................................................................................................................... 88 4.21 Archive ....................................................................................................................................... 88 4.22 Recover ...................................................................................................................................... 89 4.23 Validate ...................................................................................................................................... 89 4.24 Query ......................................................................................................................................... 90 4.25 Cancel ........................................................................................................................................ 91
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 6 of 176
4.26 Poll ............................................................................................................................................. 92 5 Server-to-Client Operations ................................................................................................................ 93
5.1 Notify .......................................................................................................................................... 93 5.2 Put .............................................................................................................................................. 93
6 Message Contents.............................................................................................................................. 95 6.1 Protocol Version ........................................................................................................................ 95 6.2 Operation ................................................................................................................................... 95 6.3 Maximum Response Size .......................................................................................................... 95 6.4 Unique Batch Item ID ................................................................................................................. 96 6.5 Time Stamp................................................................................................................................ 96 6.6 Authentication ............................................................................................................................ 96 6.7 Asynchronous Indicator ............................................................................................................. 97 6.8 Asynchronous Correlation Value ............................................................................................... 97 6.9 Result Status ............................................................................................................................. 97 6.10 Result Reason ........................................................................................................................... 98 6.11 Result Message ......................................................................................................................... 99 6.12 Batch Order Option .................................................................................................................... 99 6.13 Batch Error Continuation Option ................................................................................................ 99 6.14 Batch Count ............................................................................................................................. 100 6.15 Batch Item ................................................................................................................................ 100 6.16 Message Extension ................................................................................................................. 100
7 Message Format ............................................................................................................................... 102 7.1 Message Structure ................................................................................................................... 102 7.2 Operations ............................................................................................................................... 102 6.1 Asynchronous Operations .............................................................................................................. 104
8 Authentication ................................................................................................................................... 107 9 Message Encoding ........................................................................................................................... 108
9.1 TTLV Encoding ........................................................................................................................ 108 9.1.1 TTLV Encoding Fields ......................................................................................................... 108 9.1.2 Examples ............................................................................................................................. 110 9.1.3 Defined Values .................................................................................................................... 111
9.2 XML Encoding ......................................................................................................................... 131 10 Transport .......................................................................................................................................... 132 11 Error Handling .................................................................................................................................. 133
11.1 General .................................................................................................................................... 133 11.2 Create ...................................................................................................................................... 134 11.3 Create Key Pair ....................................................................................................................... 134 11.4 Register .................................................................................................................................... 135 11.5 Re-key ...................................................................................................................................... 135 11.6 Derive Key ............................................................................................................................... 136 11.7 Certify ....................................................................................................................................... 137 11.8 Re-certify .................................................................................................................................. 137 11.9 Locate ...................................................................................................................................... 137 11.10 Check .................................................................................................................................. 138 11.11 Get ....................................................................................................................................... 138
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 7 of 176
11.12 Get Attributes ....................................................................................................................... 139 11.13 Get Attribute List .................................................................................................................. 139 11.14 Add Attribute ........................................................................................................................ 139 11.15 Modify Attribute.................................................................................................................... 140 11.16 Delete Attribute .................................................................................................................... 140 11.17 Obtain Lease ....................................................................................................................... 141 11.18 Get Usage Allocation ........................................................................................................... 141 11.19 Activate ................................................................................................................................ 141 11.20 Revoke ................................................................................................................................ 142 11.21 Destroy ................................................................................................................................ 142 11.22 Archive ................................................................................................................................. 142 11.23 Recover ............................................................................................................................... 142 11.24 Validate ................................................................................................................................ 143 11.25 Query ................................................................................................................................... 143 11.26 Cancel ................................................................................................................................. 143 11.27 Poll ....................................................................................................................................... 143 11.28 Batch Items .......................................................................................................................... 143
12 Server Baseline Implementation Conformance Profile .................................................................... 145 12.1 Conformance clauses for a KMIP Server ................................................................................ 145
A. Attribute Cross-reference...................................................................................................................... 147 B. Tag Cross-reference ............................................................................................................................. 149 C. Operation and Object Cross-reference ................................................................................................ 155 D. Acronyms .............................................................................................................................................. 156 E. List of Figures and Tables .................................................................................................................... 159 F. Acknowledgements ............................................................................................................................... 172 G. Revision History ................................................................................................................................... 174 1 Introduction ................................................................................................................................................ 8
1.1 Terminology ................................................................................................................................. 8 1.2 Normative References ............................................................................................................... 11 1.3 Non-normative References ........................................................................................................ 13
2 Objects ............................................................................................................................................... 15 2.1 Base Objects ............................................................................................................................. 15
2.1.1 Attribute ................................................................................................................................. 15 2.1.2 Credential .............................................................................................................................. 16 2.1.3 Key Block ............................................................................................................................... 16 2.1.4 Key Value .............................................................................................................................. 17 2.1.5 Key Wrapping Data ............................................................................................................... 18 2.1.6 Key Wrapping Specification .................................................................................................. 19 2.1.7 Transparent Key Structures .................................................................................................. 20 2.1.8 Template-Attribute Structures ............................................................................................... 25
2.2 Managed Objects ....................................................................................................................... 25 2.2.1 Certificate .............................................................................................................................. 25 2.2.2 Symmetric Key ...................................................................................................................... 26 2.2.3 Public Key .............................................................................................................................. 26 2.2.4 Private Key ............................................................................................................................ 26
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 8 of 176
2.2.5 Split Key ................................................................................................................................ 26 2.2.6 Template ................................................................................................................................ 28 2.2.7 Secret Data ............................................................................................................................ 29 2.2.8 Opaque Object ...................................................................................................................... 29
3 Attributes ............................................................................................................................................ 30 3.1 Unique Identifier ......................................................................................................................... 31 3.2 Name ......................................................................................................................................... 32 3.3 Object Type................................................................................................................................ 32 3.4 Cryptographic Algorithm ............................................................................................................ 33 3.5 Cryptographic Length ................................................................................................................ 33 3.6 Cryptographic Parameters ......................................................................................................... 34 3.7 Cryptographic Domain Parameters ........................................................................................... 35 3.8 Certificate Type .......................................................................................................................... 36 3.9 Certificate Identifier .................................................................................................................... 36 3.10 Certificate Subject ...................................................................................................................... 37 3.11 Certificate Issuer ........................................................................................................................ 38 3.12 Digest ......................................................................................................................................... 38 3.13 Operation Policy Name .............................................................................................................. 39
3.13.1 Operations outside of operation policy control .................................................................. 40 3.13.2 Default Operation Policy ................................................................................................... 40
3.14 Cryptographic Usage Mask ....................................................................................................... 43 3.15 Lease Time ................................................................................................................................ 44 3.16 Usage Limits .............................................................................................................................. 45 3.17 State ........................................................................................................................................... 46 3.18 Initial Date .................................................................................................................................. 48 3.19 Activation Date ........................................................................................................................... 48 3.20 Process Start Date ..................................................................................................................... 49 3.21 Protect Stop Date ...................................................................................................................... 50 3.22 Deactivation Date ...................................................................................................................... 51 3.23 Destroy Date .............................................................................................................................. 51 3.24 Compromise Occurrence Date .................................................................................................. 52 3.25 Compromise Date ...................................................................................................................... 52 3.26 Revocation Reason ................................................................................................................... 53 3.27 Archive Date .............................................................................................................................. 53 3.28 Object Group ............................................................................................................................. 54 3.29 Link ............................................................................................................................................ 54 3.30 Application Specific Information ................................................................................................ 56 3.31 Contact Information ................................................................................................................... 56 3.32 Last Change Date ...................................................................................................................... 57 3.33 Custom Attribute ........................................................................................................................ 57
4 Client-to-Server Operations ................................................................................................................ 59 4.1 Create ........................................................................................................................................ 59 4.2 Create Key Pair ......................................................................................................................... 60 4.3 Register ...................................................................................................................................... 62 4.4 Re-key ........................................................................................................................................ 63
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 9 of 176
4.5 Derive Key ................................................................................................................................. 65 4.6 Certify ......................................................................................................................................... 68 4.7 Re-certify .................................................................................................................................... 69 4.8 Locate ........................................................................................................................................ 71 4.9 Check ......................................................................................................................................... 72 4.10 Get ............................................................................................................................................. 74 4.11 Get Attributes ............................................................................................................................. 75 1.1 Get Attribute List ............................................................................................................................... 75 4.12 Get Attribute List ........................................................................................................................ 76 4.13 Add Attribute .............................................................................................................................. 76 4.14 Modify Attribute .......................................................................................................................... 77 4.15 Delete Attribute .......................................................................................................................... 77 4.16 Obtain Lease ............................................................................................................................. 78 4.17 Get Usage Allocation ................................................................................................................. 79 1.2 Activate ............................................................................................................................................. 79 4.18 Activate ...................................................................................................................................... 80 4.19 Revoke ....................................................................................................................................... 80 1.3 Destroy .............................................................................................................................................. 81 4.20 Destroy ....................................................................................................................................... 81 4.21 Archive ....................................................................................................................................... 82 4.22 Recover ...................................................................................................................................... 82 4.23 Validate ...................................................................................................................................... 83 4.24 Query ......................................................................................................................................... 83 4.25 Cancel ........................................................................................................................................ 84 4.26 Poll ............................................................................................................................................. 85
5 Server-to-Client Operations ................................................................................................................ 86 5.1 Notify .......................................................................................................................................... 86 5.2 Put .............................................................................................................................................. 86
6 Message Contents.............................................................................................................................. 88 6.1 Protocol Version ........................................................................................................................ 88 6.2 Operation ................................................................................................................................... 88 6.3 Maximum Response Size .......................................................................................................... 88 6.4 Unique Batch Item ID ................................................................................................................. 88 6.5 Time Stamp................................................................................................................................ 89 6.6 Authentication ............................................................................................................................ 89 6.7 Asynchronous Indicator ............................................................................................................. 89 6.8 Asynchronous Correlation Value ............................................................................................... 90 6.9 Result Status ............................................................................................................................. 90 6.10 Result Reason ........................................................................................................................... 90 6.11 Result Message ......................................................................................................................... 91 6.12 Batch Order Option .................................................................................................................... 91 6.13 Batch Error Continuation Option ................................................................................................ 92 6.14 Batch Count ............................................................................................................................... 92 6.15 Batch Item .................................................................................................................................. 92 6.16 Message Extension ................................................................................................................... 92
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 10 of 176
7 Message Format ................................................................................................................................. 94 7.1 Message Structure ..................................................................................................................... 94 7.2 Operations ................................................................................................................................. 94 6.1 Asynchronous Operations ................................................................................................................ 95
8 Authentication ..................................................................................................................................... 98 9 Message Encoding ............................................................................................................................. 99
9.1 TTLV Encoding .......................................................................................................................... 99 9.1.1 TTLV Encoding Fields ........................................................................................................... 99 9.1.2 Examples ............................................................................................................................. 101 9.1.3 Defined Values .................................................................................................................... 102
9.2 XML Encoding ......................................................................................................................... 122 10 Transport .......................................................................................................................................... 123 11 Error Handling .................................................................................................................................. 124
11.1 General .................................................................................................................................... 124 11.2 Create ...................................................................................................................................... 125 11.3 Create Key Pair ....................................................................................................................... 125 11.4 Register .................................................................................................................................... 126 11.5 Re-key ...................................................................................................................................... 126 11.6 Derive Key ............................................................................................................................... 127 11.7 Certify ....................................................................................................................................... 128 11.8 Re-certify .................................................................................................................................. 128 11.9 Locate ...................................................................................................................................... 128 11.10 Check .................................................................................................................................. 129 11.11 Get ....................................................................................................................................... 129 11.12 Get Attributes ....................................................................................................................... 130 11.13 Get Attribute List .................................................................................................................. 130 11.14 Add Attribute ........................................................................................................................ 130 11.15 Modify Attribute.................................................................................................................... 131 11.16 Delete Attribute .................................................................................................................... 131 11.17 Obtain Lease ....................................................................................................................... 132 11.18 Get Usage Allocation ........................................................................................................... 132 11.19 Activate ................................................................................................................................ 132 11.20 Revoke ................................................................................................................................ 133 11.21 Destroy ................................................................................................................................ 133 11.22 Archive ................................................................................................................................. 133 11.23 Recover ............................................................................................................................... 133 11.24 Validate ................................................................................................................................ 133 11.25 Query ................................................................................................................................... 134 11.26 Cancel ................................................................................................................................. 134 11.27 Poll ....................................................................................................................................... 134 11.28 Batch Items .......................................................................................................................... 134
12 Server Baseline Implementation Conformance Profile .................................................................... 135 12.1 Conformance clauses for a KMIP Server ................................................................................ 135
A. Attribute Cross-reference...................................................................................................................... 137 B. Tag Cross-reference ............................................................................................................................. 139
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 11 of 176
C. Operation and Object Cross-reference ................................................................................................ 144 D. Acronyms .............................................................................................................................................. 145 E. List of Figures and Tables .................................................................................................................... 148 F. Acknowledgements ............................................................................................................................... 155 G. Revision History ................................................................................................................................... 157
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 12 of 176
1 Introduction 1
This document is intended as a specification of the protocol used for the communication between clients 2 and servers to perform certain management operations on objects stored and maintained by a key 3 management system. These objects are referred to as Managed Objects in this specification. They 4 include symmetric and asymmetric cryptographic keys, digital certificates, and templates used to simplify 5 the creation of objects and control their use. Managed Objects are managed with operations that include 6 the ability to generate cryptographic keys, register objects with the key management system, obtain 7 objects from the system, destroy objects from the system, and search for objects maintained by the 8 system. Managed Objects also have associated attributes, which are named values stored by the key 9 management system and are obtained from the system via operations. Certain attributes are added, 10 modified, or deleted by operations. 11
The protocol specified in this document includes several certificate-related functions for which there are a 12 number of existing protocols – namely Validate (e.g., SCVPSVP or XKMS), Certify (e.g. CMP, CMC, 13 SCEP) and Re-certify (e.g. CMP, CMC, SCEP). The protocol does not attempt to define a comprehensive 14 certificate management protocol, such as would be needed for a certification authority. However, it does 15 include functions that are needed to allow a key server to provide a proxy for certificate management 16 functions. 17
In addition to the normative definitions for managed objects, operations and attributes, this specification 18 also includes normative definitions for the following aspects of the protocol: 19
• The expected behavior of the server and client as a result of operations, 20
• Message contents and formats, 21
• Message encoding (including enumerations), and 22
• Error handling. 23
This specification is complemented by three other documents. The Usage Guide [KMIP-UG] provides 24 illustrative information on using the protocol. The KMIP Profiles Specification [KMIP-Prof] provides a 25 selected set of conformance profiles and authentication suites. The Test Specification [KMIP-UC] 26 provides samples of protocol messages corresponding to a set of defined test cases. 27
This specification defines the KMIP protocol version major 1 and minor 0 (see 6.16.1 ). 28
1.1 1.1 Terminology 29
The key words "SHALL", "SHALL NOT", "REQUIRED", "SHOULD", "SHOULD NOT", 30 "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in 31 [RFC2119]. The words ‘must’, ‘can’, and ‘will’ are forbidden. 32 For definitions not found in this document, see [SP800-57-1]. 33
Archive To place information not accessed frequently into long-term storage.
Asymmetric key pair (key pair)
A public key and its corresponding private key; a key pair is used with a public key algorithm.
Authentication A process that establishes the origin of information, or determines an entity’s identity.
Authentication code A cryptographic checksum based on aan Approved security function (also known as a Message Authentication Code).
Authorization Access privileges that are granted to an entity; conveying an “official” sanction to perform a security function or activity.
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted Table
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 13 of 176
Certification authority The entity in a Public Key Infrastructure (PKI) that is responsible for issuing certificates, and exacting compliance to a PKI policy.
Ciphertext Data in its encrypted form.
Compromise The unauthorized disclosure, modification, substitution or use of sensitive data (e.g., keying material and other security- related information).
Confidentiality The property that sensitive information is not disclosed to unauthorized entities.
Cryptographic algorithm
A well-defined computational procedure that takes variable inputs, including a cryptographic key and produces an output.
Cryptographic key (key)
A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples include: 1. The transformation of plaintext data into ciphertext data, 2. The transformation of ciphertext data into plaintext data, 3. The computation of a digital signature from data, 4. The verification of a digital signature, 5. The computation of an authentication code from data, 6. The verification of an authentication code from data and a received authentication code.,
Decryption The process of changing ciphertext into plaintext using a cryptographic algorithm and key.
Digest (or hash) The result of applying a hash function to information.
Digital signature (signature)
The result of a cryptographic transformation of data that, when properly implemented with supporting infrastructure and policy, provides the services of: 1. origin authentication 2. data integrity, and 3. signer non-repudiation.
Encryption The process of changing plaintext into ciphertext using a cryptographic algorithm and key.
Hashing algorithmHash function
An algorithmA function that maps a bit string of arbitrary length to a fixed length bit string. Approved hashing algorithmshash functions satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.
Integrity The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
Key derivation (derivation)
A function in the lifecycle of keying material; the process by which one or more keys are derived from 1) either a shared secret from a key
Formatted Table
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 14 of 176
agreement computation or a pre-shared cryptographic key, and 2) other information.
Key management The activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and destruction.
Key wrapping (wrapping)
A method of encrypting and/or MACing/signing keys (along with associated integrity information) that provides both confidentiality and integrity protection using cryptographic keys.a symmetric key.
Message authentication code (MAC)
A cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of data.
Private key A cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and is not made public. The In an asymmetric (public) cryptosystem, the private key is associated with a public key. Depending on the algorithm, the private key may be used to: 1. Compute the corresponding public key, 2. Compute a digital signature that may be verified by the corresponding public key, 3. Decrypt data that was encrypted by the corresponding public key, or 4. Compute a piece of common shared data, together with other information.
Profile A specification of objects, attributes, operations, message elements and authentication methods to be used in specific contexts of key management server and client interactions (see [KMIP-Prof]).
Public key A cryptographic key used with a public key cryptographic algorithm that is uniquely associated with an entity and that may be made public. The In an asymmetric (public) cryptosystem, the public key is associated with a private key. The public key may be known by anyone and, depending on the algorithm, may be used to: 1. Verify a digital signature that is signed by the corresponding private key, 2. Encrypt data that can be decrypted by the corresponding private key, or 3. Compute a piece of shared data.
Public key certificate (certificate)
A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity.
Public key cryptographic algorithm
A cryptographic algorithm that uses two related keys, a public key and a private key. The two keys have the property that determining the private key from the public key is computationally infeasible.
Public Key Infrastructure
A framework that is established to issue, maintain and revoke public key certificates.
Recover To retrieve information that was archived to long-term storage.
Split knowledge A process by which a cryptographic key is split into n multiple key components, individually providing no knowledge of the original key, which can be subsequently combined to recreate the original
Formatted Table
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 15 of 176
cryptographic key. If knowledge of k (where k is less than or equal to n) components is required to construct the original key, then knowledge of any k-1 key components provides no information about the original key other than, possiblypossibility, its length.
Symmetric key A single cryptographic key that is used with a secret (symmetric) key algorithm.
Symmetric key algorithm
A cryptographic algorithm that uses the same secret (symmetric) key for an operation and its complement (e.g., encryption and decryption).
X.509 certificate The ISO/ITU-T X.509 standard defined two types of certificates – the X.509 public key certificate, and the X.509 attribute certificate. Most commonly (including this document), an X.509 certificate refers to the X.509 public key certificate.
X.509 public key certificate
The public key for a user (or device) and a name for the user (or device), together with some other information, rendered un-forgeable by the digital signature of the certification authority that issued the certificate, encoded in the format defined in the ISO/ITU-T X.509 standard.
Table 1: Terminology 34
35
1.2 1.2 Normative References 36
[FIPS186-3] Digital Signature Standard (DSS), FIPS PUB 186-3, JunJune 2009, 37 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf 38
[FIPS197] Advanced Encryption Standard, FIPS PUB 197, Nov 2001, 39 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 40
[FIPS198-1] The Keyed-Hash Message Authentication Code (HMAC), FIPS PUB 198-1, 41 JulJuly 2008, http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf 42
[IEEE1003-1] IEEE Std 1003.1, Standard for information technology - portable operating 43 system interface (POSIX). Shell and utilities, 2004. 44
[ISO16609] ISO, Banking -- Requirements for message authentication using symmetric 45 techniques, ISO 16609, 1991 46
[ISO9797-1] ISO/IEC, Information technology -- Security techniques -- Message 47 Authentication Codes (MACs) -- Part 1: Mechanisms using a block cipher, 48 ISO/IEC 9797-1, 1999. 49
[KMIP-Prof] OASIS Committee Draft 05, Key Management Interoperability Protocol Profiles 50 Version 1.,0, MarCommittee Draft, November 201009, http://docs.oasis-51 open.org/kmip/profiles/v1.0/cd05/kmip-profiles-1.0-cd-05.doc . 52
[PKCS#1] RSA Laboratories, PKCS #1 v2.1: RSA Cryptography Standard, JunJune 14, 53 2002, . http://www.rsa.com/rsalabs/node.asp?id=2125 54
[PKCS#5] RSA Laboratories, PKCS #5 v2.1: Password-Based Cryptography Standard, 55 OctOctober 5, 2006,. http://www.rsa.com/rsalabs/node.asp?id=2127 56
[PKCS#7] RSA Laboratories, PKCS#7 v1.5: Cryptographic Message Syntax Standard, Nov. 57 November 1, 1993,. http://www.rsa.com/rsalabs/node.asp?id=2129 58
[PKCS#8] RSA Laboratories, PKCS#8 v1.2: Private-Key Information Syntax Standard, 59 NovNovember 1, 1993,. http://www.rsa.com/rsalabs/node.asp?id=2130 60
[PKCS#10] RSA Laboratories, PKCS #10 v1.7: Certification Request Syntax Standard, May 61 26, 2000,. http://www.rsa.com/rsalabs/node.asp?id=2132 62
[RFC1319] B. Kaliski, The MD2 Message-Digest Algorithm, IETF RFC 1319, Apr 1992, 63 http://www.ietf.org/rfc/rfc1319.txt 64
[RFC1320] R. Rivest, The MD4 Message-Digest Algorithm, IETF RFC 1320, Apr 1992, 65 http://www.ietf.org/rfc/rfc1320.txt 66
Formatted: Keep with next
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 16 of 176
[RFC1321] R. Rivest, The MD5 Message-Digest Algorithm, IETF RFC 1321, Apr 1992, 67 http://www.ietf.org/rfc/rfc1321.txt 68
[RFC1421] J. Linn, Privacy Enhancement for Internet Electronic Mail: Part I: Message 69 Encryption and Authentication Procedures, ¸IETF RFC 1421, Feb 1993, 70 http://www.ietf.org/rfc/rfc1421.txt 71
[RFC1424] B. Kaliski, Privacy Enhancement for Internet Electronic Mail: Part IV: Key 72 Certification and Related Services, IETF RFC 1424, Feb February 1993,. 73 http://www.ietf.org/rfc/rfc1424.txt 74
[RFC2104] H. Krawczyk, M. Bellare, R. Canetti, HMAC: Keyed-Hashing for Message 75 Authentication, IETF RFC 2104,. Feb 19971007, 76 http://www.ietf.org/rfc/rfc2104.txt 77
[RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, IETF 78 RFC 2119, Mar 1997, http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 79 1997. 80
[RFC 2246] T. Dierks and C. Allen, The TLS Protocol, Version 1.0, IETF RFC 2246, Jan 81 1999, http://www.ietf.org/rfc/rfc2246.txt 82
[RFC2898] B. Kaliski, PKCS #5: Password-Based Cryptography Specification Version 2.0, 83 IETF RFC 2898, Sep 2000, http://www.ietf.org/rfc/rfc2898.txt 84
[RFC 3394] J. Schaad, R. Housley, Advanced Encryption Standard (AES) Key Wrap 85 Algorithm, IETF RFC 3394, Sep 2002, http://www.ietf.org/rfc/rfc3394.txt 86
[RFC3447] J. Jonsson, B. Kaliski, Public-Key Cryptography Standards (PKCS) #1: RSA 87 Cryptography Specifications Version 2.1, IETF RFC 3447, Feb 2003, 88 http://www.ietf.org/rfc/rfc3447.txt 89
[RFC3629] F. Yergeau, UTF-8, a transformation format of ISO 10646, IETF RFC 3629, Nov 90 2003, http://www.ietf.org/rfc/rfc3629.txt 91
[RFC3647] S. Chokhani, W. Ford, R. Sabett, C. Merrill, and S. Wu, Internet X.509 Public Key 92 Infrastructure Certificate Policy and Certification Practices Framework, IETF RFC 93 3647, NovNovember 2003,. http://www.ietf.org/rfc/rfc3647.txt 94
[RFC4210] C. Adams, S. Farrell, T. Kause and T. Mononen, Internet X.509 Public Key 95 Infrastructure Certificate Management Protocol (CMP), IETF RFC 2510, 96 SepSeptember 2005,. http://www.ietf.org/rfc/rfc4210.txt 97
[RFC4211] J. Schaad, Internet X.509 Public Key Infrastructure Certificate Request Message 98 Format (CRMF), IETF RFC 4211, Sep 2005, http://www.ietf.org/rfc/rfc4211.txt 99
[RFC4868] S. Kelly, S. Frankel, Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-100 512 with IPsec, IETF RFC 4868, May 2007, http://www.ietf.org/rfc/rfc4868.txt 101
[RFC4949] R. Shirey, Internet Security Glossary, Version 2, IETF RFC 4949, AugAugust 102 2007,. http://www.ietf.org/rfc/rfc4949.txt 103
[RFC5272] J. Schaad and M. Meyers, Certificate Management over CMS (CMC), IETF RFC 104 5272, JunJune 2008,. http://www.ietf.org/rfc/rfc5272.txt 105
[RFC5280] D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk, Internet 106 X.509 Public Key Infrastructure Certificate, IETF RFC 5280, May 2008, 107 http://www.ietf.org/rfc/rfc5280.txt 108
[RFC5649] R. Housley, Advanced Encryption Standard (AES) Key Wrap with Padding 109 Algorithm, IETF RFC 5649, Aug 2009, http://www.ietf.org/rfc/rfc5649.txt 110
[SHAMIR1979] A. Shamir, How to share a secret, Communications of the ACM, vol. 22, no. 11, 111 pp. 612-613, Nov 1979 112
[SP800-38A] M. Dworkin, Recommendation for Block Cipher Modes of Operation – Methods 113 and Techniques, NIST Special Publication 800-38A, Dec 2001, 114 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 115
[SP800-38B] M. Dworkin, Recommendation for Block Cipher Modes of Operation: The CMAC 116 Mode for Authentication, NIST Special Publication 800-38B, May 2005, 117 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf 118
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 17 of 176
[SP800-38C] M. Dworkin, Recommendation for Block Cipher Modes of Operation: the CCM 119 Mode for Authentication and Confidentiality, NIST Special Publication 800-38C, 120 May 2004, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-121 38C_updated-July20_2007.pdf 122
[SP800-38D] M. Dworkin, Recommendation for Block Cipher Modes of Operation: 123 Galois/Counter Mode (GCM) and GMAC, NIST Special Publication 800-38D, Nov 124 2007, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf 125
[SP800-38E] M. Dworkin, Recommendation for Block Cipher Modes of Operation: The XTS-126 AES Mode for Confidentiality on Block-Oriented Storage Devices, NIST Special 127 Publication 800-38E, Jan 2010, http://csrc.nist.gov/publications/nistpubs/800-128 38E/nist-sp-800-38E.pdf 129
[SP800-56A] E. Barker, D. Johnson, and M. Smid, Recommendation for Pair-Wise Key 130 Establishment Schemes Using Discrete Logarithm Cryptography (Revised), NIST 131 Special Publication 800-56A, Mar 2007Aug 2009 (draft), 132 http://csrc.nist.gov/publications/nistpubsdrafts/800-56A/SP800-133 56A_Revision1_Mar08-200738E/draft-sp800-38E.pdf 134
[SP800-56B] E. Barker, L. Chen, A. Regenscheid, and M. Smid, Recommendation for Pair-135 Wise Key Establishment Schemes Using Integer Factorization Cryptography, 136 NIST Special Publication 800-56B, Aug 2009, 137 http://csrc.nist.gov/publications/nistpubs/800-56B/sp800-56B.pdf 138
[SP800-57-1] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, Recommendations for Key 139 Management - Part 1: General (Revised), NIST Special Publication 800-57 part 140 1, MarMarch 2007, http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-141 Part1-revised2_Mar08-2007.pdf 142
[SP800-67] W. Barker, Recommendation for the Triple Data Encryption Algorithm (TDEA) 143 Block Cipher, NIST Special Publication 800-67, Version 1.1, Revised 19 May 144 2008, http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf 145
[SP800-108] L. Chen, Recommendation for Key Derivation Using Pseudorandom Functions 146 (Revised), NIST Special Publication 800-108, OctOctober 2009, 147 http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf 148
[X.509] International Telecommunication Union (ITU)–T, X.509: Information technology 149 – Open systems interconnection – The Directory: Public-key and attribute 150 certificate frameworks, AugAugust 2005,. http://www.itu.int/rec/T-REC-X.509-151 200508-I/en 152
[X9.24-1] ANSI, X9.24 - Retail Financial Services Symmetric Key Management - Part 1: 153 Using Symmetric Techniques, 2004. 154
[X9.31] ANSI, X9.31:Digital Signatures Using Reversible Public Key Cryptography for the 155 Financial Services Industry (rDSA), SepSeptember 1998. 156
[X9.42] ANSI, X9-42: Public Key Cryptography for the Financial Services Industry: 157 Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, 2003. 158
[X9-57] ANSI, X9-57: Public Key Cryptography for the Financial Services Industry: 159 Certificate Management, 1997. 160
[X9.62] ANSI, X9-62: Public Key Cryptography for the Financial Services Industry, The 161 Elliptic Curve Digital Signature Algorithm (ECDSA), 2005. 162
[X9-63] ANSI, X9-63: Public Key Cryptography for the Financial Services Industry, Key 163 Agreement and Key Transport Using Elliptic Curve Cryptography, 2001. 164
[X9-102] ANSI, X9-102: Symmetric Key Cryptography for the Financial Services Industry - 165 Wrapping of Keys and Associated Data, 2008. 166
[X9 TR-31] ANSI, X9 TR-31: Interoperable Secure Key Exchange Key Block Specification for 167 Symmetric Algorithms, 2005. 168
169
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 18 of 176
1.3 1.3 Non-normative References 170
[KMIP-UG] OASIS Committee Draft 09, Key Management Interoperability Protocol Usage 171 Guide Version 1.0, MarCommittee Draft , November 201009, http://docs.oasis-172 open.org/kmip/ug/v1.0/cd09/kmip-ug-1.0-cd-09.doc . 173
[KMIP-UC] OASIS Committee Draft 09, Key Management Interoperability Protocol Use 174 Cases Version 1.0, MarCommittee Draft, November 201009, http://docs.oasis-175 open.org/kmip/usecases/v1.0/cd09/kmip-usecases-1.0-cd-09.doc . 176
[ISO/IEC 9945-2] The Open Group, Regular Expressions, The Single UNIX Specification version 2, 177 1997, ISO/IEC 9945-2:1993, 178 http://www.opengroup.org/onlinepubs/007908799/xbd/re.html 179 http://www.opengroup.org/onlinepubs/007908799/xbd/re.html 180
181
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 19 of 176
2 2 Objects 182
The following subsections describe the objects that are passed between the clients and servers of the key 183 management system. Some of these object types, called Base Objects, are used only in the protocol 184 itself, and are not considered Managed Objects. Key management systems MAY choose to support a 185 subset of the Managed Objects. The object descriptions refer to the primitive data types of which they are 186 composed. These primitive data types are 187
• Integer 188
• Long Integer 189
• Big Integer 190
• Enumeration – choices from a predefined list of values 191
• Boolean 192
• Text String – string of characters representing human-readable text 193
• Byte String – sequence of unencoded byte values 194
• Date-Time – date and time, with a granularity of one second 195
• Interval – a length of time interval expressed in seconds 196
Structures are composed of ordered lists of primitive data types or sub-structures. 197
2.1 2.1 Base Objects 198
These objects are used within the messages of the protocol, but are not objects managed by the key 199 management system. They are components of Managed Objects. 200
2.1.1 2.1.1 Attribute 201
An Attribute object is a structure (see Table 2Table 2Table 21) used for sending and receiving Managed 202 Object attributes. The Attribute Name is a text-string that is used to identify the attribute. The Attribute 203 Index is an index number assigned by the key management server when a specified named attribute is 204 allowed to have multiple instances. The Attribute Index is used to identify the particular instance. Attribute 205 Indices SHALL start with 0. The Attribute Index of an attribute SHALL NOT change when other instances 206 are added or deleted. For example, if a particular attribute has 4 instances with Attribute Indices 0, 1, 2 207 and 3, and the instance with Attribute Index 2 is deleted, then the Attribute Index of instance 3 is not 208 changed. Attributes that have a single instance have an Attribute Index of 0, which is assumed if the 209 Attribute Index is not specified. The Attribute Value is either a primitive data type or structured object, 210 depending on the attribute. 211
Object Encoding REQUIREDAttribute Structure
Attribute Name Text String Yes
Attribute Index Integer No
Attribute Value Varies, depending on attribute. See Section 33
Yes, except for the Notify operation (see Section 5.1)
Table 2: Attribute Object Structure 212
Formatted: Space Before: 24 pt, Outlinenumbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0 pt + Tab after: 21.6 pt + Indent at: 21.6 pt, Page break before, Hyphenate, Don'tadjust space between Latin and Asian text,Border: Top: (Single solid line, Gray-50%, 0.5pt Line width, From text: 6 pt Border spacing: )
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.9 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 20 of 176
2.1.2 2.1.2 Credential 213
A Credential is a structure (see Table 3Table 3Table 32) used for client identification purposes and is not 214 managed by the key management system (e.g., user id/password pairs, Kerberos tokens, etc). It MAY be 215 used for authentication purposes as indicated in [KMIP-Prof]. 216
Object Encoding REQUIREDCredential Structure
Credential Type Enumeration, see Enumeration, see 9.1.3.2.19.1.3.2.1
Yes
Credential Value Varies. Structure for Username and Password Credential Type.Byte String
Yes
Table 3: Credential Object Structure 217
If the Credential Type in the Credential is Username and Password, then Credential Value is a structure 218 as shown in Table 4Table 4Table 4. The Username field identifies the client, and the Password field is a 219 secret that authenticates the client. 220
Object Encoding REQUIREDCredential Value Structure
Username Text String Yes
Password Text String No
Table 4: Credential Value Structure for the Username and Password Credential 221
222
2.1.3 2.1.3 Key Block 223
A Key Block object is a structure (see Table 5Table 5Table 53) used to encapsulate all of the information 224 that is closely associated with a cryptographic key. It contains a Key Value of one of the following Key 225 Format Types: 226
• Raw – This is a key that contains only cryptographic key material, encoded as a string of bytes. 227
• Opaque – This is an encoded key for which the encoding is unknown to the key management 228 system. It is encoded as a string of bytes. 229
• PKCS1 – This is an encoded private key, expressed as a DER-encoded ASN.1 PKCS#1 object. 230
• PKCS8 – This is an encoded private key, expressed as a DER-encoded ASN.1 PKCS#8 object, 231 supporting both the RSAPrivateKey syntax and EncryptedPrivateKey. 232
• X.509 – This is an encoded object, expressed as a DER-encoded ASN.1 X.509 object. 233
• ECPrivateKey – This is an ASN.1 encoded elliptic curve private key. 234
• Several Transparent Key types – These are algorithm-specific structures containing defined 235 values for the various key types, as defined in Section 2.1.72.1.7 236
• Extensions – These are vendor-specific extensions to allow for proprietary or legacy key formats. 237
The Key Block MAY contain the Key Compression Type, which indicates the format of the elliptic curve 238 public key. By default, the public key is uncompressed. 239
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.9 pt
Formatted: Font: Bold
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.35 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 21 of 176
The Key Block also has the Cryptographic Algorithm and the Cryptographic Length of the key contained 240 in the Key Value field. Some example values are: 241
• RSA keys are typically 1024, 2048 or 3072 bits in length 242
• 3DES keys are typically 168 bits in length 243
• AES keys are typically 128 or 256 bits in length 244
The Key Block SHALL contain a Key Wrapping Data structure if the key in the Key Value field is wrapped 245 (i.e., encrypted, or MACed/signed, or both). 246
Object Encoding REQUIREDKey Block Structure
Key Format Type Enumeration, see Enumeration, see 9.1.3.2.39.1.3.2.3
Yes
Key Compression Type
Enumeration, see Enumeration, see 9.1.3.2.29.1.3.2.2
No
Key Value Byte String: for wrapped Key Value; Structure: for plaintext Key Value, see 2.1.42.1.4
Yes
Cryptographic Algorithm
Enumeration, see Enumeration, see 9.1.3.2.129.1.3.2.12
Yes, MAY be omitted only if this information is available from the Key Value. Does not apply to Secret Data or Opaque Objects. If present, the Cryptographic Length SHALL also be present.
Cryptographic Length
Integer Yes, MAY be omitted only if this information is available from the Key Value. Does not apply to Secret Data or Opaque Objects. If present, the Cryptographic Algorithm SHALL also be present.
Key Wrapping Data Structure, see 2.1.52.1.5
No, SHALL only be present if the key is wrapped.
Table 5: Key Block Object Structure 247
2.1.4 2.1.4 Key Value 248
The Key Value is used only inside a Key Block and is either a Byte String or a structure (see Table 249 6Table 6Table 64): 250
• The Key Value structure contains the key material, either as a byte string or as a Transparent Key 251 structure (see Section 2.1.72.1.7 ), and OPTIONAL attribute information that is associated and 252 encapsulated with the key material. This attribute information differs from the attributes 253 associated with Managed Objects, and which is obtained via the Get Attributes operation, only by 254 the fact that it is encapsulated with (and possibly wrapped with) the key material itself. 255
• The Key Value Byte String is the wrapped TTLV-encoded (see Section 9.19.1 ) Key Value 256 structure. 257
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
Formatted: Font: Bold
Formatted: Font: 13 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 22 of 176
Object Encoding REQUIREDKey Value Structure
Key Material Byte String: for Raw, Opaque, PKCS1, PKCS8, ECPrivateKey, or Extension Key Format types; Structure: for Transparent, or Extension Key Format Types
Yes
Attribute Attribute Object, see Section 2.1.12.1.1
No. MAY be repeated
Table 6: Key Value Object Structure 258
2.1.5 2.1.5 Key Wrapping Data 259
The Key Block MAY also supply OPTIONAL information about a cryptographic key wrapping mechanism 260 used to wrap the Key Value. This consists of a Key Wrapping Data structure (see Table 7Table 7Table 261 75). It is only used inside a Key Block. 262
This structure contains fields for: 263
• A Wrapping Method, which indicates the method used to wrap the Key Value. 264
• Encryption Key Information, which contains the Unique Identifier (see 3.13.1 ) value of the 265 encryption key and associated cryptographic parameters. 266
• MAC/Signature Key Information, which contains the Unique Identifier value of the MAC/signature 267 key and associated cryptographic parameters. 268
• A MAC/Signature, which contains a MAC or signature of the Key Value. 269
• An IV/Counter/Nonce, if REQUIRED by the wrapping method. 270
If wrapping is used, then the whole Key Value structure is wrapped unless otherwise specified by the 271 Wrapping Method. The algorithms used for wrapping are given by the Cryptographic Algorithm attributes 272 of the encryption key and/or MAC/signature key; the block-cipher mode, padding method, and hashing 273 algorithm used for wrapping are given by the Cryptographic Parameters in the Encryption Key Information 274 and/or MAC/Signature Key Information, or, if not present, from the Cryptographic Parameters attribute of 275 the respective key(s). At least one of the Encryption Key Information and the MAC/Signature Key 276 Information SHALL be specified. 277
The following wrapping methods are currently defined: 278
• Encrypt only (i.e., encryption using a symmetric key or public key, or authenticated encryption 279 algorithms that use a single key) 280
• MAC/sign only (i.e., either MACing the Key Value with a symmetric key, or signing the Key Value 281 with a private key) 282
• Encrypt then MAC/sign 283
• MAC/sign then encrypt 284
• TR-31 285
• Extensions 286
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.35 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 23 of 176
Object Encoding REQUIREDKey Wrapping Data Structure
Wrapping Method Enumeration, see Enumeration, see 9.1.3.2.49.1.3.2.4
Yes
Encryption Key Information
Structure, see below No. Corresponds to the key that was used to encrypt the Key Value.
MAC/Signature Key Information
Structure, see below No. Corresponds to the symmetric key used to MAC the Key Value or the private key used to sign the Key Value
MAC/Signature Byte String No
IV/Counter/Nonce Byte String No
Table 7: Key Wrapping Data Object Structure 287
The structures of the Encryption Key Information (see Table 8Table 8Table 86) and the MAC/Signature 288 Key Information (see Table 9Table 9Table 97) are as follows: 289
Object Encoding REQUIREDEncryption Key Information Structure
Unique Identifier Text string, see Text string, see 3.13.1
Yes
Cryptographic Parameters
Structure, see Structure, see 3.63.6
No
Table 8: Encryption Key Information Object Structure 290
Object Encoding REQUIREDMAC/Signature Key Information
Structure
Unique Identifier Text string, see Text string, see 3.13.1
Yes. It SHALL be either the Unique Identifier of the Symmetric Key used to MAC, or of the Private Key (or its corresponding Public Key) used to sign.
Cryptographic Parameters
Structure, see Structure, see 3.63.6
No
Table 9: MAC/Signature Key Information Object Structure 291
2.1.6 2.1.6 Key Wrapping Specification 292
This is a separate structure (see Table 10Table 10Table 108) that is defined for operations that provide 293 the option to return wrapped keys. The Key Wrapping Specification SHALL be included inside the 294 operation request if clients request the server to return a wrapped key. If Cryptographic Parameters are 295 specified in the Encryption Key Information and/or the MAC/Signature Key Information of the Key 296
Field Code Changed
Field Code Changed
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.35 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 24 of 176
Wrapping Specification, then the server SHALL verify that they match one of the instances of the 297 Cryptographic Parameters attribute of the corresponding key. If Cryptographic Parameters are omitted, 298 then the server SHALL use the Cryptographic Parameters attribute with the lowest Attribute Index of the 299 corresponding key. If the corresponding key does not have any Cryptographic Parameters attribute, or if 300 no match is found, then an error is returned. 301
This structure contains: 302
• A Wrapping Method that indicates the method used to wrap the Key Value. 303
• An Encryption Key Information with the Unique Identifier value of the encryption key and 304 associated cryptographic parameters. 305
• A MAC/Signature Key Information with the Unique Identifier value of the MAC/signature key and 306 associated cryptographic parameters. 307
• Zero or more Attribute Names to indicate the attributes to be wrapped with the key material. 308
Object Encoding REQUIREDKey Wrapping Specification Structure
Wrapping Method Enumeration, see Enumeration, see 9.1.3.2.49.1.3.2.4
Yes
Encryption Key Information
Structure, see Structure, see 2.1.52.1.5
No, SHALL be present if MAC/Signature Key Information is omitted
MAC/Signature Key Information
Structure, see Structure, see 2.1.52.1.5
No, SHALL be present if Encryption Key Information is omitted
Attribute Name Text String No, MAY be repeated
Table 10: Key Wrapping Specification Object Structure 309
2.1.7 2.1.7 Transparent Key Structures 310
Transparent Key structures describe the necessary parameters to obtain the key material in a form that is 311 easily interpreted by all participants in the protocol. They are used in the Key Value structure. The 312 mapping to the parameters specified in other standards is shown in Table 11. 313
Object Description Mapping
P For DSA and DH, the (large) prime field order. For RSA, a prime factor of the modulus.
p in [FIPS186-3], [X9.42], [SP800-56A] p in [PKCS#1], [SP800-56B]
Q For DSA and DH, the (small) prime multiplicative subgroup order. For RSA, a prime factor of the modulus.
q in [FIPS186-3], [X9.42], [SP800-56A] q in [PKCS#1], [SP800-56B]
G The generator of the subgroup of order Q. g in [FIPS186-3], [X9.42], [SP800-56A]
X DSA or DH private key. x in [FIPS186-3] x, xu, xv in [X9.42], [SP800-56A] for static private keys r, ru, rv in [X9.42], [SP800-56A]
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt
Formatted: Font: Bold
Formatted: Font: Not Italic
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 25 of 176
for ephemeral private keys
Y DSA or DH public key. y in [FIPS186-3] y, yu, yv in [X9.42], [SP800-56A] for static public keys t, tu, tv in [X9.42], [SP800-56A] for ephemeral public keys
J DH cofactor integer, where P = JQ + 1. j in [X9.42]
Modulus RSA modulus PQ, where P and Q are distinct primes.
n in [PKCS#1], [SP800-56B]
Private Exponent RSA private exponent. d in [PKCS#1], [SP800-56B]
Public Exponent RSA public exponent. e in [PKCS#1], [SP800-56B]
Prime Exponent P RSA private exponent for the prime factor P in the CRT format, i.e., Private Exponent (mod (P-1)).
dP in [PKCS#1], [SP800-56B]
Prime Exponent Q RSA private exponent for the prime factor Q in the CRT format, i.e., Private Exponent (mod (Q-1)).
dQ in [PKCS#1], [SP800-56B]
CRT Coefficient The (first) CRT coefficient, i.e., Q-1 mod P. qInv in [PKCS#1], [SP800-56B]
Recommended Curve
NIST Recommended Curves (e.g., P-192). See Appendix D of [FIPS186-3]
D Elliptic curve private key. d; de,U,de,V (ephemeral private keys); ds,U,ds,V (static private keys) in [X9-63], [SP800-56A]
Q String Elliptic curve public key. Q; Qe,U,Qe,V (ephemeral public keys); Qs,U,Qs,V (static public keys) in [X9-63], [SP800-56A]
Table 11: Parameter mapping. 314
2.1.7.1 2.1.7.1 Transparent Symmetric Key 315
If the Key Format Type in the Key Block is Transparent Symmetric Key, then Key Material is a structure 316 as shown in Table 12Table 12Table 129. 317
Object Encoding REQUIREDKey Material Structure
Key Byte String Yes
Table 12: Key Material Object Structure for Transparent Symmetric Keys 318
2.1.7.2 2.1.7.2 Transparent DSA Private Key 319
If the Key Format Type in the Key Block is Transparent DSA Private Key, then Key Material is a structure 320 as shown in Table 13Table 13Table 1310. 321
Formatted: Caption
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 26 of 176
Object Encoding REQUIREDKey Material Structure
P Big Integer Yes
Q Big Integer Yes
G Big Integer Yes
X Big Integer Yes
Table 13: Key Material Object Structure for Transparent DSA Private Keys 322
P is the prime modulus. Q is the prime divisor of P-1. G is the generator. X is the private key (refer to 323 NIST FIPS PUB 186-3). 324
2.1.7.3 2.1.7.3 Transparent DSA Public Key 325
If the Key Format Type in the Key Block is Transparent DSA Public Key, then Key Material is a structure 326 as shown in Table 14Table 14Table 1411. 327
Object Encoding REQUIREDKey Material Structure
P Big Integer Yes
Q Big Integer Yes
G Big Integer Yes
Y Big Integer Yes
Table 14: Key Material Object Structure for Transparent DSA Public Keys 328
P is the prime modulus. Q is the prime divisor of P-1. G is the generator. Y is the public key (refer to NIST 329 FIPS PUB 186-3). 330
2.1.7.4 2.1.7.4 Transparent RSA Private Key 331
If the Key Format Type in the Key Block is Transparent RSA Private Key, then Key Material is a structure 332 as shown in Table 15Table 15Table 1512. 333
Object Encoding REQUIREDKey Material Structure
Modulus Big Integer Yes
Private Exponent Big Integer No
Public Exponent Big Integer No
P Big Integer No
Q Big Integer No
Prime Exponent P Big Integer No
Prime Exponent Q Big Integer No
CRT Coefficient Big Integer No
Table 15: Key Material Object Structure for Transparent RSA Private Keys 334
One of the following SHALL be present (refer to [PKCS#1]RSA PKCS#1): 335
• Private Exponent 336
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 27 of 176
• P and Q (the first two prime factors of Modulus) 337
• Prime Exponent P and Prime Exponent Q. 338
2.1.7.5 2.1.7.5 Transparent RSA Public Key 339
If the Key Format Type in the Key Block is Transparent RSA Public Key, then Key Material is a structure 340 as shown in Table 16Table 16Table 1613. 341
Object Encoding REQUIREDKey Material Structure
Modulus Big Integer Yes
Public Exponent Big Integer Yes
Table 16: Key Material Object Structure for Transparent RSA Public Keys 342
2.1.7.6 2.1.7.6 Transparent DH Private Key 343
If the Key Format Type in the Key Block is Transparent DH Private Key, then Key Material is a structure 344 as shown in Table 17Table 17Table 1714. 345
Object Encoding REQUIREDKey Material Structure
P Big Integer Yes
Q Big Integer No
G Big Integer Yes
Q Big Integer No
J Big Integer No
X Big Integer Yes
Table 17: Key Material Object Structure for Transparent DH Private Keys 346
P is the prime, P = JQ + 1. G is the generator GQ = 1 mod P. Q is the prime factor of P-1. J is the 347 OPTIONAL cofactor. X is the private key (refer to ANSI X9.42). 348
2.1.7.7 2.1.7.7 Transparent DH Public Key 349
If the Key Format Type in the Key Block is Transparent DH Public Key, then Key Material is a structure as 350 shown in Table 18Table 18Table 1815. 351
Object Encoding REQUIREDKey Material Structure
P Big Integer Yes
Q Big Integer No
G Big Integer Yes
Q Big Integer No
J Big Integer No
Y Big Integer Yes
Table 18: Key Material Object Structure for Transparent DH Public Keys 352
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
Formatted Table
Formatted Table
Formatted Table
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 28 of 176
P is the prime, P = JQ + 1. G is the generator GQ = 1 mod P. Q is the prime factor of P-1. J is the 353 OPTIONAL cofactor. Y is the public key (refer to ANSI X9.42). 354
2.1.7.8 2.1.7.8 Transparent ECDSA Private Key 355
If the Key Format Type in the Key Block is Transparent ECDSA Private Key, then Key Material is a 356 structure as shown in Table 19Table 19Table 1916. 357
Object Encoding REQUIREDKey Material Structure
Recommended Curve
Enumeration, see Enumeration, see 9.1.3.2.59.1.3.2.5
Yes
D Big Integer Yes
Table 19: Key Material Object Structure for Transparent ECDSA Private Keys 358
D is the private key (refer to NIST FIPS PUB 186-3). 359
2.1.7.9 2.1.7.9 Transparent ECDSA Public Key 360
If the Key Format Type in the Key Block is Transparent ECDSA Public Key, then Key Material is a 361 structure as shown in Table 20Table 20Table 2017. 362
Object Encoding REQUIREDKey Material Structure
Recommended Curve
Enumeration, see Enumeration, see 9.1.3.2.59.1.3.2.5
Yes
Q String Byte String Yes
Table 20: Key Material Object Structure for Transparent ECDSA Public Keys 363
Q String is the public key (refer to NIST FIPS PUB 186-3). 364
2.1.7.10 2.1.7.10 Transparent ECDH Private Key 365
If the Key Format Type in the Key Block is Transparent ECDH Private Key, then Key Material is a 366 structure as shown in Table 21Table 21Table 2118. 367
Object Encoding REQUIREDKey Material Structure
Recommended Curve
Enumeration, see Enumeration, see 9.1.3.2.59.1.3.2.5
Yes
D Big Integer Yes
Table 21: Key Material Object Structure for Transparent ECDH Private Keys 368
2.1.7.11 2.1.7.11 Transparent ECDH Public Key 369
If the Key Format Type in the Key Block is Transparent ECDH Public Key, then Key Material is a structure 370 as shown in Table 22Table 22Table 2219. 371
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 29 of 176
Object Encoding REQUIREDKey Material Structure
Recommended Curve
Enumeration, see Enumeration, see 9.1.3.2.59.1.3.2.5
Yes
Q String Byte String Yes
Table 22: Key Material Object Structure for Transparent ECDH Public Keys 372
Q String is the public key (refer to NIST FIPS PUB 186-3). 373
2.1.7.12 2.1.7.12 Transparent ECMQV Private Key 374
If the Key Format Type in the Key Block is Transparent ECMQV Private Key, then Key Material is a 375 structure as shown in Table 23Table 23Table 2320. 376
Object Encoding REQUIREDKey Material Structure
Recommended Curve
Enumeration, see Enumeration, see 9.1.3.2.59.1.3.2.5
Yes
D Big Integer Yes
Table 23: Key Material Object Structure for Transparent ECMQV Private Keys 377
2.1.7.13 2.1.7.13 Transparent ECMQV Public Key 378
If the Key Format Type in the Key Block is Transparent ECMQV Public Key, then Key Material is a 379 structure as shown in Table 24Table 24Table 2421. 380
Object Encoding REQUIREDKey Material Structure
Recommended Curve
Enumeration, see Enumeration, see 9.1.3.2.59.1.3.2.5
Yes
Q String Byte String Yes
Table 24: Key Material Object Structure for Transparent ECMQV Public Keys 381
2.1.8 2.1.8 Template-Attribute Structures 382
These structures are used in various operations to provide the desired attribute values and/or template 383 names in the request and to return the actual attribute values in the response. 384
The Template-Attribute, Common Template-Attribute, Private Key Template-Attribute, and Public Key 385 Template-Attribute structures are defined identically as follows: 386
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 30 of 176
Object Encoding REQUIREDTemplate-Attribute, Common Template-Attribute, Private Key Template-Attribute, Public Key Template-Attribute
Structure
Name Structure, see Structure, see 3.23.2
No, MAY be repeated.
Attribute Attribute Object, see Attribute Object, see 2.1.12.1.1
No, MAY be repeated
Table 25: Template-Attribute Object Structure 387
Name is the Name attribute of the Template object defined in Section 2.2.62.2.6 . 388
2.2 2.2 Managed Objects 389
Managed Objects are objects that are the subjects of key management operations, which are described 390 in Sections 44 and 55 . Managed Cryptographic Objects are the subset of Managed Objects that contain 391 cryptographic material (e.g. certificates, keys, and secret data). 392
2.2.1 2.2.1 Certificate 393
A Managed Cryptographic Object that is a digital certificate (e.g., an encoded X.509 certificate). 394
Object Encoding REQUIREDCertificate Structure
Certificate Type Enumeration, see Enumeration, see 9.1.3.2.69.1.3.2.6
Yes
Certificate Value Byte String Yes
Table 26: Certificate Object Structure 395
2.2.2 2.2.2 Symmetric Key 396
A Managed Cryptographic Object that is a symmetric key. 397
Object Encoding REQUIREDSymmetric Key Structure
Key Block Structure, see Structure, see 2.1.32.1.3
Yes
Table 27: Symmetric Key Object Structure 398
2.2.3 2.2.3 Public Key 399
A Managed Cryptographic Object that is the public portion of an asymmetric key pair. This is only a public 400 key, not a certificate. 401
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.9 pt
Formatted: Font: Bold
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.9 pt
Formatted: Font: Bold
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.9 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 31 of 176
Object Encoding REQUIREDPublic Key Structure
Key Block Structure, see 2.1.32.1.3
Yes
Table 28: Public Key Object Structure 402
2.2.4 2.2.4 Private Key 403
A Managed Cryptographic Object that is the private portion of an asymmetric key pair. 404
Object Encoding REQUIREDPrivate Key Structure
Key Block Structure, see Structure, see 2.1.32.1.3
Yes
Table 29: Private Key Object Structure 405
2.2.5 2.2.5 Split Key 406
A Managed Cryptographic Object that is a Split Key. A split key is a secret, usually a symmetric key or a 407 private key that has been split into a number of parts, each of which MAY then be distributed to several 408 key holders, for additional security. The Split Key Parts field indicates the total number of parts, and the 409 Split Key Threshold field indicates the minimum number of parts needed to reconstruct the entire key. 410 The Key Part Identifier indicates which key part is contained in the cryptographic object, and SHALL be at 411 least 1 and SHALL be less than or equal to Split Key Parts. 412
Object Encoding REQUIRED
Split Key Structure
Split Key Parts Integer Yes
Key Part Identifier Integer Yes
Split Key Threshold Integer Yes
Split Key Method Enumeration, see Enumeration, see 9.1.3.2.79.1.3.2.7
Yes
Prime Field Size Big Integer No, REQUIRED only if Split Key Method is Polynomial Sharing Prime Field.
Key Block Structure, see 2.1.32.1.3
Yes
Table 30: Split Key Object Structure 413
There are three Split Key Methods for secret sharing: the first one is based on XOR, and the other two 414 are based on polynomial secret sharing, according to [SHAMIR1979]Adi Shamir, "How to share a secret", 415 Communications of the ACM, vol. 22, no. 11, pp. 612-613. 416
Let L be the minimum number of bits needed to represent all values of the secret. 417
• When the Split Key Method is XOR, then the Key Material in the Key Value of the Key Block is of 418 length L bits. The number of split keys is Split Key Parts (identical to Split Key Threshold), and 419 the secret is reconstructed by XORing all of the parts. 420
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.9 pt
Formatted: Font: Bold
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.9 pt
Formatted: Font: Bold
Formatted: Tab stops: 108 pt, List tab
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 32 of 176
• When the Split Key Method is Polynomial Sharing Prime Field, then secret sharing is performed 421 in the field GF(Prime Field Size), represented as integers, where Prime Field Size is a prime 422 bigger than 2L. 423
• When the Split Key Method is Polynomial Sharing GF(216), then secret sharing is performed in 424 the field GF(216). The Key Material in the Key Value of the Key Block is a bit string of length L, 425 and when L is bigger than 216, then secret sharing is applied piecewise in pieces of 16 bits each. 426 The Key Material in the Key Value of the Key Block is the concatenation of the corresponding 427 shares of all pieces of the secret. 428
Secret sharing is performed in the field GF(216), which is represented as an algebraic extension of 429 GF(28): 430
GF(216) ≈ GF(28) [y]/(y2+y+m), where m is defined later. 431
An element of this field then consists of a linear combination uy + v, where u and v are elements 432 of the smaller field GF(28). 433
The representation of field elements and the notation in this section rely on [FIPS197]FIPS PUB 434 197, Sections 3 and 4. The field GF(28) is as described in [FIPS197]FIPS PUB 197, 435
GF(28) ≈ GF(2) [x]/(x8+x4+x3+x+1). 436
An element of GF(28) is represented as a byte. Addition and subtraction in GF(28) is performed as 437 a bit-wise XOR of the bytes. Multiplication and inversion are more complex (see [FIPS197]FIPS 438 PUB 197 Section 4.1 and 4.2 for details). 439
An element of GF(216) is represented as a pair of bytes (u, v). The element m is given by 440
m = x5+x4+x3+x, 441
which is represented by the byte 0x3A (or {3A} in notation according to [FIPS197]FIPS PUB 197). 442
Addition and subtraction in GF(216) both correspond to simply XORing the bytes. The product of 443 two elements ry + s and uy + v is given by 444
(ry + s) (uy + v) = ((r + s)(u + v) + sv)y + (ru + svm). 445
The inverse of an element uy + v is given by 446
(uy + v)-1 = ud-1y + (u + v)d-1, where d = (u + v)v + mu2. 447
2.2.6 2.2.6 Template 448
A Template is a named Managed Object containing the client-settable attributes of a Managed 449 Cryptographic Object (i.e., a stored, named list of attributes). A Template is used to specify the attributes 450 of a new Managed Cryptographic Object in various operations. It is intended to be used to specify the 451 cryptographic attributes of new objects in a standardized or convenient way. None of the client-settable 452 attributes specified in a Template except the Name attribute apply to the template object itself, but instead 453 apply to any object created using the Template. 454
The Template MAY be the subject of the Register, Locate, Get, Get Attributes, Get Attribute List, Add 455 Attribute, Modify Attribute, Delete Attribute, and Destroy operations. 456
An attribute specified in a Template is applicable either to the Template itself or to objects created using 457 the Template. 458
Attributes applicable to the Template itself are: Unique Identifier, Object Type, Name, Initial Date, Archive 459 Date, and Last Change Date. 460
Attributes applicable to objects created using the Template are: 461
• Cryptographic Algorithm 462
• Cryptographic Length 463
• Cryptographic Domain Parameters 464
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.9 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 33 of 176
• Cryptographic Parameters 465
• Operation Policy Name 466
• Cryptographic Usage Mask 467
• Usage Limits 468
• Activation Date 469
• Process Start Date 470
• Protect Stop Date 471
• Deactivation Date 472
• Object Group 473
• Application Specific Information 474
• Contact Information 475
• Custom Attribute 476
Object Encoding REQUIREDTemplate Structure
Attribute Attribute Object, see Attribute Object, see 2.1.12.1.1
Yes. MAY be repeated.
Table 31: Template Object Structure 477
2.2.7 2.2.7 Secret Data 478
A Managed Cryptographic Object containing a shared secret value that is not a key or certificate (e.g., a 479 password). The Key Block of the Secret Data object contains a Key Value of the Opaque type. The Key 480 Value MAY be wrapped. 481
Object Encoding REQUIREDSecret Data Structure
Secret Data Type Enumeration, see Enumeration, see 9.1.3.2.89.1.3.2.8
Yes
Key Block Structure, see 2.1.32.1.3
Yes
Table 32: Secret Data Object Structure 482
2.2.8 2.2.8 Opaque Object 483
A Managed Object that the key management server is possibly not able to interpret. The context 484 information for this object MAY be stored and retrieved using Custom Attributes. 485
Object Encoding REQUIREDOpaque Object Structure
Opaque Data Type Enumeration, see Enumeration, see 9.1.3.2.99.1.3.2.9
Yes
Opaque Data Value Byte String Yes
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.9 pt
Formatted: Font: Bold
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 106.9 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 34 of 176
Table 33: Opaque Object Structure 486
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 35 of 176
3 3 Attributes 487
The following subsections describe the attributes that are associated with Managed Objects. Attributes 488 that an object MAY have multiple instances of are referred to as multi-instance attributes. Similarly, 489 attributes which an object MAY only have at most one instance of are referred to as single-instance 490 attributes. These attributes are able to be obtained by a client from the server using the Get Attribute 491 operation. Some attributes are able to be set by the Add Attribute operation or updated by the Modify 492 Attribute operation, and some are able to be deleted by the Delete Attribute operation if they no longer 493 apply to the Managed Object. Read-only attributes are attributes that SHALL NOT be modified by either 494 server or client, and that SHALL NOT be deleted by a client. 495
When attributes are returned by the server (e.g., via a Get Attributes operation), the returned attribute 496 value returned MAY differ for different clientsdepending on the client (e.g., the Cryptographic Usage Mask 497 value MAY be different for different clients, depending on the policy of the server). 498
The first table in each subsection contains the attribute name contained in the first row. This name of the 499 Object column of the first table in each subsection is the canonical name used when managing attributes 500 using the Get Attributes, Get Attribute List, Add Attribute, Modify Attribute, and Delete Attribute 501 operations. 502
A server SHALL NOT delete attributes without receiving a request from a client until the object is 503 destroyed. After an object is destroyed, the server MAY retain all, some or none of the object attributes, 504 depending on the object type and server policy. 505
The second table (see Table 34Table 31) in each subsection lists certain attribute characteristics (e.g., 506 “SHALL always have a value”): Table 34Table 34Table 34 below explains the meaning of each”). The 507 “When implicitly set” characteristic that may appear in those tables. The server policy MAY further restrict 508 these indicates which operations (other than operations that manage attributes) are able to implicitly add 509 to or modify the attribute characteristicsof the object, which MAY be object(s) on which the operation is 510 performed or object(s) created as a result of the operation. Implicit attribute changes MAY occur even if 511 the attribute is not specified in the operation request itself. 512
Formatted: Space Before: 24 pt, Outlinenumbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0 pt + Tab after: 21.6 pt + Indent at: 21.6 pt, Page break before, Hyphenate, Don'tadjust space between Latin and Asian text,Border: Top: (Single solid line, Gray-50%, 0.5pt Line width, From text: 6 pt Border spacing:), Tab stops: Not at 0 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 36 of 176
SHALL always have a value All Managed Objects that are of the Object Types for which this attribute applies, SHALL always have this attribute set once the object has been created or registered, up until the object has been destroyed.
Initially set by Who is permitted to initially set the value of the attribute (if the attribute has never been set, or if all the attribute values have been deleted)?
Modifiable by server Is the server allowed to change an existing value ofmodify the attribute without receiving a request from a client?
Modifiable by client Is the client able to change an existing value ofmodify the attribute value once it has been set?
Deletable by client Is the client able to delete an instance of the attribute?
Multiple instances permitted Are multiple instances of the attribute permitted?
When implicitly set Which operations MAY cause this attribute to be set even if the attribute is not specified in the operationwithout an explicit request itself?from a client
Applies to Object Types Which Managed Objects MAY have this attribute set?
Table 34: Attribute Rules 513
3.1 3.1 Unique Identifier 514
The Unique Identifier is generated by the key management system to uniquely identify a Managed Object. 515 It is only REQUIRED to be unique within the identifier space managed by a single key management 516 system, however it is RECOMMENDED that this identifier be globally unique in order, to allow for a key 517 management domain export of such objects. This attribute SHALL be assigned by the key management 518 system at creation or registration time, and then SHALL NOT be changed or deleted before the object is 519 destroyedby any entity at any time. 520
Object EncodingUnique Identifier Text String
Table 35: Unique Identifier Attribute 521
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 37 of 176
SHALL always have a value Yes
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Certify, Re-certify, Re-key
Applies to Object Types All Objects
Table 36: Unique Identifier Attribute Rules 522
3.2 3.2 Name 523
The Name attribute is a structure (see Table 37Table 37Table 3734) used to identify and locate the 524 object. This attribute is, assigned by the client, and the Name Value is intended to be in a form that 525 humans are able to interpret. The key management system MAY specify rules by which the client creates 526 valid names. Clients are informed of such rules by a mechanism that is not specified by this standard. 527 Names SHALL be unique within a given key management domain, but are not REQUIRED to be globally 528 unique. 529
Object Encoding REQUIREDName Structure
Name Value Text String Yes
Name Type Enumeration, see Enumeration, see 9.1.3.2.109.1.3.2.10
Yes
Table 37: Name Attribute Structure 530
SHALL always have a value No
Initially set by Client
Modifiable by server Yes
Modifiable by client Yes
Deletable by client Yes
Multiple instances permitted Yes
When implicitly set Re-key, Re-certify
Applies to Object Types All Objects
Table 38: Name Attribute Rules 531
3.3 3.3 Object Type 532
The Object Type of a Managed Object (e.g., public key, private key, symmetric key, etc)). This attribute 533 SHALL be set by the server when the object is created or registered and then SHALL NOT be changed or 534 deleted before the object is destroyed. 535
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 38 of 176
Object EncodingObject Type Enumeration, see
Enumeration, see 9.1.3.2.119.1.3.2.11
Table 39: Object Type Attribute 536
SHALL always have a value Yes
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Certify, Re-certify, Re-key
Applies to Object Types All Objects
Table 40: Object Type Attribute Rules 537
3.4 3.4 Cryptographic Algorithm 538
The Cryptographic Algorithm used by the object (e.g., RSA, DSA, DES, 3DES, AES, etc). This attribute 539 SHALL be set by the server when the object is created or registered and then SHALL NOT be changed or 540 deleted before the object is destroyed. 541
Object EncodingCryptographic Algorithm Enumeration, see
Enumeration, see 9.1.3.2.129.1.3.2.12
Table 41: Cryptographic Algorithm Attribute 542
SHALL always have a value Yes
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Re-key
Applies to Object Types Keys, Certificates, Templates
Table 42: Cryptographic Algorithm Attribute Rules 543
3.5 3.5 Cryptographic Length 544
Cryptographic Length is the length in bits of the clear-text cryptographic key material of the Managed 545 Cryptographic Object. This attribute SHALL be set by the server when the object is created or registered, 546 and then SHALL NOT be changed or deleted before the object is destroyed. 547
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 39 of 176
Object EncodingCryptographic Length Integer
Table 43: Cryptographic Length Attribute 548
SHALL always have a value Yes
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Re-key
Applies to Object Types Keys ,Certificates, Templates
Table 44: Cryptographic Length Attribute Rules 549
3.6 3.6 Cryptographic Parameters 550
The Cryptographic Parameters attribute is a structure (see Table 45Table 45Table 4542) that contains a 551 set of OPTIONAL fields that describe certain cryptographic parameters to be used when performing 552 cryptographic operations using the object. SpecificIt is possible that specific fields MAY only pertain only 553 to certain types of Managed Cryptographic Objects. 554
Object Encoding REQUIREDCryptographic Parameters Structure
Block Cipher Mode Enumeration, see Enumeration, see 9.1.3.2.139.1.3.2.13
No
Padding Method Enumeration, see Enumeration, see 9.1.3.2.149.1.3.2.14
No
Hashing Algorithm Enumeration, see Enumeration, see 9.1.3.2.159.1.3.2.15
No
Key Role Type Enumeration, see Enumeration, see 9.1.3.2.169.1.3.2.16
No
Table 45: Cryptographic Parameters Attribute Structure 555
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 40 of 176
SHALL always have a value No
Initially set by Client
Modifiable by server No
Modifiable by client Yes
Deletable by client Yes
Multiple instances permitted Yes
When implicitly set Re-key, Re-certify
Applies to Object Types Keys, ,Certificates, Templates
Table 46: Cryptographic Parameters Attribute Rules 556
Key Role Type definitions match those defined in ANSI X9 TR-31 [X9 TR-31] and are defined in Table 557 47Table 47Table 4744: 558
BDK Base Derivation Key (ANSI X9.24 DUKPT key derivation)
CVK Card Verification Key (CVV/signature strip number validation)
DEK Data Encryption Key (General Data Encryption)
MKAC EMV/chip card Master Key: Application Cryptograms
MKSMC EMV/chip card Master Key: Secure Messaging for Confidentiality
MKSMI EMV/chip card Master Key: Secure Messaging for Integrity
MKDAC EMV/chip card Master Key: Data Authentication Code
MKDN EMV/chip card Master Key: Dynamic Numbers
MKCP EMV/chip card Master Key: Card Personalization
MKOTH EMV/chip card Master Key: Other
KEK Key Encryption or Wrapping Key
MAC16609 ISO16609 MAC Algorithm 1
MAC97971 ISO9797-1 MAC Algorithm 1
MAC97972 ISO9797-1 MAC Algorithm 2
MAC97973 ISO9797-1 MAC Algorithm 3 (Note this is commonly known as X9.19 Retail MAC)
MAC97974 ISO9797-1 MAC Algorithm 4
MAC97975 ISO9797-1 MAC Algorithm 5
ZPK PIN Block Encryption Key
PVKIBM PIN Verification Key, IBM 3624 Algorithm
PVKPVV PIN Verification Key, VISA PVV Algorithm
PVKOTH PIN Verification Key, Other Algorithm
Table 47: Key Role Types 559
Accredited Standards Committee X9, Inc. - Financial Industry Standards (www.x9.org) contributed to 560 Table 47Table 47Table 4744. Key role names and descriptions are derived from material in the 561 Accredited Standards Committee X9, Inc's Technical Report "TR-31 2005 Interoperable Secure Key 562 Exchange Key Block Specification for Symmetric Algorithms" and used with the permission of Accredited 563
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 41 of 176
Standards Committee X9, Inc. in an effort to improve interoperability between X9 standards and OASIS 564 KMIP. The complete ANSI X9 TR-31 is available at www.x9.org. 565
3.7 3.7 Cryptographic Domain Parameters 566
The Cryptographic Domain Parameters attribute is a structure (see Table 48Table 48Table 4845) that 567 contains a set of OPTIONAL fields that MAY need to be specified in the Create Key Pair Request 568 Payload. Specific fields MAY only pertain to certain types of Managed Cryptographic Objects. 569
The For DSA, the domain parameter Qlength correponds to the bit length of the parameter Q (referin bits. 570 The length of P needs to [FIPS186-3] and [SP800-56A]). Qlength applies to algorithms such as DSA and 571 DH. The bit length of parameter P (refer to [FIPS186-3] and [SP800-56A]) isbe specified separately by 572 setting the Cryptographic Length attribute. 573
Recommended Curve is applicable to elliptic curve algorithms such as ECDSA, ECDH, and ECMQV. 574
Object Encoding RequiredCryptographic Domain Parameters
Structure Yes
Qlength Integer No
Recommended Curve Enumeration, see 9.1.3.2.5
No
Table 48: Cryptographic Domain Parameters Attribute Structure 575
Shall always have a value No
Initially set by Client
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Re-key
Applies to Object Types Asymmetric Keys, Templates
Table 49: Cryptographic Domain Parameters Attribute Rules 576
3.8 3.8 Certificate Type 577
The type of a certificate (e.g., X.509, PGP, etc). The Certificate Type value SHALL be set by the server 578 when the certificate is created or registered and then SHALL NOT be changed or deleted before the 579 object is destroyed. 580
Object EncodingCertificate Type Enumeration, see
Enumeration, see 9.1.3.2.69.1.3.2.6
Table 50: Certificate Type Attribute 581
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 42 of 176
SHALL always have a value Yes
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Register, Certify, Re-certify
Applies to Object Types Certificates
Table 51: Certificate Type Attribute Rules 582
3.9 3.9 Certificate Identifier 583
The Certificate Identifier attribute is a structure (see Table 52Table 52Table 5249) used to provide the 584 identification of a certificate, containing the Issuer Distinguished Name (i.e., from the Issuer field of the 585 certificate) and the Certificate Serial Number (i.e., from the Serial Number field of the certificate). The 586 Certificate IdentifierThis value SHALL be set by the server when the certificate is created or registered 587 and then SHALL NOT be changed or deleted before the object is destroyed. 588
Object Encoding REQUIREDCertificate Identifier Structure
Issuer Text String Yes
Serial Number Text String Yes (for X.509 certificates) / No (for PGP certificates since they do not contain a serial number)
Table 52: Certificate Identifier Attribute Structure 589
SHALL always have a value Yes
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Register, Certify, Re-certify
Applies to Object Types Certificates
Table 53: Certificate Identifier Attribute Rules 590
3.10 3.10 Certificate Subject 591
The Certificate Subject attribute is a structure (see Table 54Table 54Table 5451) used to identify the 592 subject of a certificate, containing the Subject Distinguished Name (i.e., from the Subject field of the 593 certificate). It MAY include one or more alternative names (e.g., email address, IP address, DNS name) 594 for the subject of the certificate (i.e., from the Subject Alternative Name extension within the certificate). 595 These values SHALL be set by the server based on the information it extracts from the certificate that is 596 created (as a result of a Certify or a Re-certify operation) or registered (as part of a Register operation) 597 and SHALL NOT be changed or deleted beforeduring the object is destroyedlifespan of the certificate. 598
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 43 of 176
If the Subject Alternative Name extension is included in the certificate and is marked CRITICAL (i.e., 599 within the certificate itself), then it is possible to issue an X.509 certificate where the subject field is left 600 blank. Therefore an empty string is an acceptable value for the Certificate Subject Distinguished Name. 601
Object Encoding REQUIREDCertificate Subject Structure
Certificate Subject Distinguished Name
Text String Yes, but MAY be the empty string
Certificate Subject Alternative Name
Text String No, MAY be repeated
Table 54: Certificate Subject Attribute Structure 602
SHALL always have a value Yes
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Register, Certify, Re-certify
Applies to Object Types Certificates
Table 55: Certificate Subject Attribute Rules 603
3.11 3.11 Certificate Issuer 604
The Certificate Issuer attribute is a structure (see Table 57Table 57Table 5754) used to identify the issuer 605 of a certificate, containing the Issuer Distinguished Name (i.e., from the Issuer field of the certificate). It 606 MAY include one or more alternative names (e.g., email address, IP address, DNS name) for the issuer of 607 the certificate (i.e., from the Issuer Alternative Name extension within the certificate). The server SHALL 608 set these values based on the information it extracts from a certificate that is created as a result of a 609 Certify or a Re-certify operation or is sent as part of a Register operation. These values SHALL NOT be 610 changed or deleted beforeduring the object is destroyedlifespan of the certificate. 611
Object Encoding REQUIREDCertificate Issuer Structure
Certificate Issuer Distinguished Name
Text String Yes
Certificate Issuer Alternative Name
Text String No, MAY be repeated
Table 56: Certificate Issuer Attribute Structure 612
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 44 of 176
SHALL always have a value Yes
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Register, Certify, Re-certify
Applies to Object Types Certificates
Table 57: Certificate Issuer Attribute Rules 613
3.12 3.12 Digest 614
The Digest attribute is a structure (see Table 58Table 58Table 5855) that contains the digest value of the 615 key or secret data (i.e., digest of the Key Material), certificate (i.e., digest of the Certificate Value), or 616 opaque object (i.e., digest of the Opaque Data Value). Multiple digests MAY be calculated using different 617 algorithms. If an instance of this attribute exists, then itThe mandatory digest SHALL be computed with 618 the SHA-256 hashing algorithm; the server MAY store additional digests using the algorithms listed in 619 Section 9.1.3.2.159.1.3.2.15 . The digest(s) are static and SHALL be setgenerated by the server when 620 the object is created or registered, provided that the server has access to the Key Material or the Digest 621 Value (possibly obtained via out-of-band mechanisms). 622
Object Encoding REQUIREDDigest Structure
Hashing Algorithm Enumeration, see Enumeration, see 9.1.3.2.159.1.3.2.15
Yes
Digest Value Byte String Yes, if the server has access to the Digest Value or the Key Material (for keys and secret data), the Certificate Value (for certificates) or the Opaque Data Value (for opaque objects).
Table 58: Digest Attribute Structure 623
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 45 of 176
SHALL always have a value Yes, if the server has access to the Digest Value or the Key Material (for keys and secret data), the Certificate Value (for certificates) or the Opaque Data Value (for opaque objects).
Initially set by Server
Modifiable by server NoYes
Modifiable by client No
Deletable by client No
Multiple instances permitted Yes
When implicitly set Create, Create Key Pair, Register, Derive Key, Certify, Re-certify, Re-key
Applies to Object Types All Cryptographic Objects, Opaque Objects
Table 59: Digest Attribute Rules 624
3.13 3.13 Operation Policy Name 625
An operation policy controls what entities MAY perform which key management operations on the object. 626 The content of the Operation Policy Name attribute is the name of a policy object known to the key 627 management system and, therefore, is server dependent. The named policy objects are created and 628 managed using mechanisms outside the scope of the protocol. The policies determine what entities MAY 629 perform specified operations on the object, and which of the object’s attributes MAY be modified or 630 deleted. The Operation Policy Name attribute SHOULD be set when operations that result in a new 631 Managed Object on the server are executed. It is set either explicitly or via some default set by the server, 632 which then applies the named policy to all subsequent operations on the object. 633
Object EncodingOperation Policy Name Text String
Table 60: Operation Policy Name Attribute 634
SHALL always have a value No
Initially set by Server or Client
Modifiable by server Yes
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Certify, Re-certify, Re-key
Applies to Object Types All Objects
Table 61: Operation Policy Name Attribute Rules 635
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 46 of 176
3.13.1 3.13.1 Operations outside of operation policy control 636
Some of the operations SHOULD be allowed for any client at any time, without respect to operation 637 policy. These operations are: 638
• Create 639
• Create Key Pair 640
• Register 641
• Certify 642
• Re-certify 643
• Validate 644
• Query 645
• Cancel 646
• Poll 647
3.13.2 3.13.2 Default Operation Policy 648
A key management system implementation SHALL implement at least one named operation policy, which 649 is used for objects when the Operation Policy attribute is not specified by the Client in operations that 650 result in a new Managed Object on the serverCreate or Register operation, or in a template specified in 651 these operations. This policy is named default. It specifies the following rules for operations on objects 652 created or registered with this policy, depending on the object type. For the profiles defined in [KMIP-653 Prof], the creator SHALL be as defined in [KMIP-Prof]. 654
3.13.2.1 3.13.2.1 Default Operation Policy for Secret Objects 655
This policy applies to Symmetric Keys, Private Keys, Split Keys, Secret Data, and Opaque Objects. 656
Default Operation Policy for Secret ObjectsOperation Policy Re-Key Allowed to creator only
Derive Key Allowed to creator only
Locate Allowed to creator only
Check Allowed to creator only
Get Allowed to creator only
Get Attributes Allowed to creator only
Get Attribute List Allowed to creator only
Add Attribute Allowed to creator only
Modify Attribute Allowed to creator only
Delete Attribute Allowed to creator only
Obtain Lease Allowed to creator only
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 141.8 pt
Formatted: Font: Bold
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 70.9 pt + 141.8 pt
Formatted: Font: Bold
Formatted: Space Before: 6 pt, Don't adjustspace between Latin and Asian text
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt + 212.7 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 47 of 176
Get Usage Allocation Allowed to creator only
Activate Allowed to creator only
Revoke Allowed to creator only
Destroy Allowed to creator only
Archive Allowed to creator only
Recover Allowed to creator only
Table 62: Default Operation Policy for Secret Objects 657
For mandatory profiles, the creator SHALL be the transport-layer identification (see [KMIP-Prof]) 658 provided at the Create or Register operation time. 659
3.13.2.2 3.13.2.2 Default Operation Policy for Certificates and Public Key 660 Objects 661
This policy applies to Certificates and Public Keys. 662
Default Operation Policy for Certificates and Public Key Objects
Operation PolicyCertify Allowed to creator only
Re-certify Allowed to creator only
Locate Allowed to all
Check Allowed to all
Get Allowed to all
Get Attributes Allowed to all
Get Attribute List Allowed to all
Add Attribute Allowed to creator only
Modify Attribute Allowed to creator only
Delete Attribute Allowed to creator only
Obtain Lease Allowed to all
Activate Allowed to creator only
Revoke Allowed to creator only
Destroy Allowed to creator only
Archive Allowed to creator only
Recover Allowed to creator only
Table 63: Default Operation Policy for Certificates and Public Key Objects 663
3.13.2.3 3.13.2.3 Default Operation Policy for Template Objects 664
The operation policy specified as an attribute in the RegisterCreate operation for a template object is the 665 operation policy used for objects created using that template, and is not the policy used to control 666 operations on the template itself. There is no mechanism to specify a policy used to control operations on 667 template objects, so the default policy for template objects is always used for templates created by clients 668 using the Register operation to create template objects. 669
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt + 212.7 pt
Formatted Table
Formatted Table
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt + 212.7 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 48 of 176
Default Operation Policy for Private Template ObjectsOperation PolicyLocate Allowed to creator only
Get Allowed to creator only
Get Attributes Allowed to creator only
Get Attribute List Allowed to creator only
Add Attribute Allowed to creator only
Modify Attribute Allowed to creator only
Delete Attribute Allowed to creator only
Destroy Allowed to creator only
Any operation referencing the Template using a Template-Attribute
Allowed to creator only
Table 64: Default Operation Policy for Private Template Objects 670
In addition to private template objects (which are controlled by the above policy, and which MAY be 671 created by clients or the server), publicly known and usable templates MAY be created and managed by 672 the server, with a default policy different from private template objects. 673
Default Operation Policy for Public Template ObjectsOperation PolicyLocate Allowed to all
Get Allowed to all
Get Attributes Allowed to all
Get Attribute List Allowed to all
Add Attribute Disallowed to all
Modify Attribute Disallowed to all
Delete Attribute Disallowed to all
Destroy Disallowed to all
Any operation referencing the Template using a Template-Attribute
Allowed to all
Table 65: Default Operation Policy for Public Template Objects 674
3.14 3.14 Cryptographic Usage Mask 675
The Cryptographic Usage Mask defines the cryptographic usage of a key. This is a bit mask that indicates 676 to the client which cryptographic functions MAY be performed using the key, and which ones SHALL NOT 677 be performed. 678
• Sign 679 • Verify 680 • Encrypt 681 • Decrypt 682 • Wrap Key 683 • Unwrap Key 684
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 49 of 176
• Export 685 • MAC Generate 686 • MAC Verify 687 • Derive Key 688 • Content Commitment 689 • Key Agreement 690 • Certificate Sign 691 • CRL Sign 692 • Generate Cryptogram 693 • Validate Cryptogram 694 • Translate Encrypt 695 • Translate Decrypt 696 • Translate Wrap 697 • Translate Unwrap 698
This list takes into consideration values that MAY appear in the Key Usage extension in an X.509 699 certificate. However, the list does not consider the additional usages that MAY appear in the Extended 700 Key Usage extension. 701
X.509 Key Usage values SHALL be mapped to Cryptographic Usage Mask values in the following 702 manner: 703
X.509 Key Usage to Cryptographic Usage Mask MappingX.509 Key Usage Value Cryptographic Usage Mask Value
digitalSignature Sign orand Verify
contentCommitment Content Commitment
(Non Repudiation)
keyEncipherment Wrap Key orand Unwrap Key
dataEncipherment Encrypt orand Decrypt
keyAgreement Key Agreement
keyCertSign Certificate Sign
cRLSign CRL Sign
encipherOnly Encrypt
decipherOnly Decrypt
Table 66: X.509 Key Usage to Cryptographic Usage Mask Mapping 704
705
Object EncodingCryptographic Usage Mask Integer
Table 67: Cryptographic Usage Mask Attribute 706
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 50 of 176
SHALL always have a value Yes
Initially set by Server or Client
Modifiable by server Yes
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Certify, Re-certify, Re-key
Applies to Object Types All Cryptographic Objects, Templates
Table 68: Cryptographic Usage Mask Attribute Rules 707
3.15 3.15 Lease Time 708
The Lease Time attribute defines a time interval for a Managed Cryptographic Object beyond which the 709 client SHALL NOT use the object without obtaining another lease. This attribute always holds the initial 710 lengthvalue of time allowed for a lease, and not the actual remaining time. Once its the lease expires, 711 then the client is only able to renew the lease by calling Obtain Lease. A server SHALL store in this 712 attribute the maximum Lease Time it is able to serve and a client obtains the lease time (with Obtain 713 Lease) that is less than or equal to the maximum Lease Time. This attribute is read-only for clients. It 714 SHALL be modified by the server only. 715
Object EncodingLease Time Interval
Table 69: Lease Time Attribute 716
SHALL always have a value No
Initially set by Server
Modifiable by server Yes
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Certify, Re-certify, Re-key
Applies to Object Types All Cryptographic Objects
Table 70: Lease Time Attribute Rules 717
3.16 3.16 Usage Limits 718
The Usage Limits attribute is a mechanism for limiting the usage of a Managed Cryptographic Object. It 719 only applies to Managed Cryptographic Objects that are able to be used for applying cryptographic 720 protection and it SHALL only reflect their usage for applying that protection (e.g., encryption, signing, 721 etc.). This attribute does not necessarily exist for all Managed Cryptographic Objects, since some objects 722 are able to be used without limit for cryptographically protecting data, depending on client/server policies. 723 Usage for processing cryptographically-protected data (e.g., decryption, verification, etc.) is not limited. 724
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 51 of 176
The Usage Limits attribute has the three followingfour fields for two different types of limits, bytes and 725 objects. Exactly one of these two types SHALL be present. These fields are: 726
• Usage Limits Total Bytes – the total number of Usage Limits Unitsbytes allowed to be protected. 727 This is the total value for the entire life of the object and SHALL NOT be changed once the object 728 begins to be used for applying cryptographic protection. 729
• Usage Limits Byte Count – the currently remaining number of Usage Limits Unitsbytes allowed to 730 be protected by the object. 731
• Usage Limits Unit – The type of quantity for which this structure specifies a usage limit (e.g., byte, 732 object). 733
• When the attribute is initially set (usually during object creation or registration), the Usage Limits 734 Count is set to the Usage Limits Total valueObjects – the total number of objects allowed to be 735 protected. This is the total value for the entire life of the object and SHALL NOT be changed once 736 the object begins to be used for applying cryptographic protection. 737
• Usage Limits Object Count – the currently remaining number of objects allowed to be protected 738 by the object. 739
When the attribute is initially set (usually during object creation or registration), the Count values are set 740 to the Total values allowed for the useful life of the object, and are decremented when the object is used. 741 The . The count values SHALL be ignored by the server SHALL ignore the Usage Limits Count value if 742 the attribute is specified in an operation that creates a new object. Changes made via the Modify Attribute 743 operation reflect corrections to the Usage Limitsthese Total values, but they SHALL NOT be changed 744 once the Usage Limits Count value hasvalues have changed by a Get Usage Allocation operation. The 745 Usage Limits Count valuevalues SHALL NOT be set or modified by the client via the Add Attribute or 746 Modify Attribute operations. 747
Object Encoding REQUIREDUsage Limits Structure
Usage Limits Total Bytes
LongBig Integer YesNo. SHALL be present if Usage Limits Byte Count is present
Usage Limits Byte Count
LongBig Integer YesNo. SHALL be present if Usage Limits Object Count is not present
Usage Limits UnitTotal Objects
Enumeration, see 9.1.3.2.30Big Integer
YesNo. SHALL be present if Usage Limits Object Count is present
Usage Limits Object Count
Big Integer No. SHALL be present if Usage Limits Byte Count is not present
Table 71: Usage Limits Attribute Structure 748
Formatted: Font: Not Italic
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 52 of 176
SHALL always have a value
No
Initially set by Server (Total, Count, and Unit/or Count) or Client (Total and/or Unit only)
Modifiable by server Yes
Modifiable by client Yes (Total and/or Unit only, as long as Get Usage Allocation has not been performed)
Deletable by client Yes, as long as Get Usage Allocation has not been performed
Multiple instances permitted
No
When implicitly set Create, Create Key Pair, Register, Derive Key, Re-key, Get Usage Allocation
Applies to Object Types Keys, Templates
Table 72: Usage Limits Attribute Rules 749
3.17 3.17 State 750
This attribute is an indication of the State of an object as known to the key management server. The State 751 SHALL NOT be changed by using the Modify Attribute operation on this attribute. The state SHALL only 752 be changed by the server as a part of other operations or other server processes. An object SHALL be in 753 one of the following states at any given time. (Note: These states correspond to those described in NIST 754 Special Publication 800-57 [SP800-57-1]). 755
• Pre-Active: The object exists but is not yet usable for 756 any cryptographic purpose. 757
• Active: The object MAY be used for all cryptographic 758 purposes that are allowed by its Cryptographic Usage 759 Mask attribute and, if applicable, by its Process Start 760 Date (see 3.203.20 ) and Protect Stop Date (see 761 3.213.21 ) attributes. 762
• Deactivated: The object SHALL NOT be used for 763 applying cryptographic protection (e.g., encryption or 764 signing), but, if permitted by the Cryptographic Usage 765 Mask attribute, then the object MAY be used to 766 process cryptographically-protected information (e.g., 767 decryption or verification), but only under 768 extraordinary circumstances and when special 769 permission is granted. 770
• Compromised: It is possible that the object has been 771 compromised, and SHOULD only be used to process 772 cryptographically-protected information in a client that 773 is trusted to use managed objects that have 774 beenhandle compromised cryptographic objects. 775
Figure 1: Cryptographic Object States and Transitions
Pre-Active
Active
Deactivated
Destroyed
Compromised
DestroyedCompromised
1
2 3
4
5
6
7 8
9
10
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 53 of 176
• Destroyed: The object is no longer usable for any purpose. 776
• Destroyed Compromised: The object is no longer usable for any purpose; however its 777 compromised status MAY be retained for audit or security purposes. 778
State transitions occur as follows: 779
1. The transition from a non-existent key to the Pre-Active state is caused by the creation of the object. 780 When an object is created or registered, it automatically goes from non-existent to Pre-Active. If, 781 however, the operation that creates or registers the object contains an Activation Date that has 782 already occurred, then the state immediately transitions from Pre-Active to Active. In this case, the 783 server SHALL set the Activation Date attribute to the time when the operation is received, or fail the 784 request attempting to create or register the object, depending on server policy. If the operation 785 contains an Activation Date attribute that is in the future, or contains no Activation Date, then the 786 Cryptographic Object is initialized in the key management system in the Pre-Active state. 787
2. The transition from Pre-Active to Destroyed is caused by a client issuing a Destroy operation. The 788 server destroys the object when (and if) server policy dictates. 789
3. The transition from Pre-Active to Compromised is caused by a client issuing a Revoke operation with 790 a Revocation Reason of Compromised. 791
4. The transition from Pre-Active to Active SHALL occur in one of three ways: 792
• The object has an Activation Date in the future. At the time that the Activation Date is 793 reached, the server changes the state to Active. 794
• A client successfully issues a Modify Attribute operation, modifying the Activation Date to a 795 date in the past, or the current date. In this case, the server SHALL either set the Activation 796 Date attribute to the date in the past or the current date, or fail the operation, depending on 797 server policy. 798
• A client issues an Activate operation on the object. The server SHALL set the Activation 799 Date to the time the Activate operation is received. 800
5. The transition from Active to Compromised is caused by a client issuing a Revoke operation with a 801 Revocation Reason of Compromised. 802
6. The transition from Active to Deactivated SHALL occur in one of three ways: 803
• The object's Deactivation Date is reached. 804
• A client issues a Revoke operation, with a Revocation Reason other than Compromised. 805
• The client successfully issues a Modify Attribute operation, modifying the Deactivation Date 806 to a date in the past, or the current date. In this case, the server SHALL either set the 807 Deactivation Date attribute to the date in the past or the current date, or fail the operation, 808 depending on server policy. 809
7. The transition from Deactivated to Destroyed is caused by a client issuing a Destroy operation, or by 810 a server, both in accordance with server policy. The server destroys the object when (and if) server 811 policy dictates. 812
8. The transition from Deactivated to Compromised is caused by a client issuing a Revoke operation 813 with a Revocation Reason of Compromised. 814
9. The transition from Compromised to Destroyed Compromised is caused by a client issuing a Destroy 815 operation, or by a server, both in accordance with server policy. The server destroys the object when 816 (and if) server policy dictates. 817
10. The transition from Destroyed to Destroyed Compromised is caused by a client issuing a Revoke 818 operation with a Revocation Reason of Compromised. 819
Only the transitions described above are permitted. 820
Formatted: Indent: Left: 0 pt, Tab stops: 18pt, List tab
Formatted: Indent: Left: 0 pt, Tab stops: 18pt, List tab + Not at 36 pt
Formatted: Indent: Left: 0 pt, Tab stops: 18pt, List tab
Formatted: Indent: Left: 0 pt, Tab stops: 18pt, List tab + Not at 36 pt
Formatted: Indent: Left: 0 pt, Tab stops: 18pt, List tab + Not at 36 pt
Formatted: Indent: Left: 0 pt, Tab stops: 18pt, List tab + Not at 36 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 54 of 176
Object EncodingState Enumeration, see
Enumeration, see 9.1.3.2.179.1.3.2.17
Table 73: State Attribute 821
SHALL always have a value Yes
Initially set by Server
Modifiable by server Yes
Modifiable by client No, but only by the server in response to certain requests (see above)
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Activate, Revoke, Destroy, Certify, Re-certify, Re-key
Applies to Object Types All Cryptographic Objects
Table 74: State Attribute Rules 822
3.18 3.18 Initial Date 823
The Initial Date is the date and time when the Managed Object was first created or registered at the 824 server. This time corresponds to state transition 1 (see Section 3.173.17 ). This attribute SHALL be set by 825 the server when the object is created or registered, and then SHALL NOT be changed or deleted before 826 the object is destroyed. This attribute is also set for non-cryptographic objects (e.g., templates) when they 827 are first registered with the server. 828
Object EncodingInitial Date Date-Time
Table 75: Initial Date Attribute 829
SHALL always have a value Yes
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Certify, Re-certify, Re-key
Applies to Object Types All Objects
Table 76: Initial Date Attribute Rules 830
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 55 of 176
3.19 3.19 Activation Date 831
This is the date and time when the Managed Cryptographic Object MAY begin to be used. This time 832 corresponds to state transition 4 (see Section 3.173.17 ). The object SHALL NOT be used for any 833 cryptographic purpose before the Activation Date has been reached. Once the state transition from Pre-834 Active has occurred, then this attribute SHALL NOT be changedmodified by the server or deleted before 835 the object is destroyed client. 836
Object EncodingActivation Date Date-Time
Table 77: Activation Date Attribute 837
SHALL always have a value No
Initially set by Server or Client
Modifiable by server Yes, only while in Pre-Active state
Modifiable by client Yes, only while in Pre-Active state
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Activate Certify, Re-certify, Re-key
Applies to Object Types All Cryptographic Objects, Templates
Table 78: Activation Date Attribute Rules 838
3.20 3.20 Process Start Date 839
This is the date and time when a Managed Symmetric Key Object MAY begin to be used to process 840 cryptographically-protected information (e.g., decryption or unwrapping), depending on the value of its 841 Cryptographic Usage Mask attribute. The object SHALL NOT be used for these cryptographic purposes 842 before the Process Start Date has been reached. This value MAY be equal to or later than, but SHALL 843 NOT precede, the Activation Date. Once the Process Start Date has occurred, then this attribute SHALL 844 NOT be changed or deleted beforemodified by the object is destroyed server or the client. 845
Object EncodingProcess Start Date Date-Time
Table 79: Process Start Date Attribute 846
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 56 of 176
SHALL always have a value No
Initially set by Server or Client
Modifiable by server Yes, only while in Pre-Active or Active state and as long as the Process Start Date has been not reached.
Modifiable by client Yes, only while in Pre-Active or Active state and as long as the Process Start Date has been not reached.
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Register, Derive Key, Re-key
Applies to Object Types Symmetric Keys, Split Keys of symmetric keys, Templates
Table 80: Process Start Date Attribute Rules 847
3.21 3.21 Protect Stop Date 848
This is the date and time when a Managed Symmetric Key Object SHALL NOT be used for applying 849 cryptographic protection (e.g., encryption or wrapping), depending on the value of its Cryptographic 850 Usage Mask attribute. This value MAY be equal to or earlier than, but SHALL NOT be later than the 851 Deactivation Date. Once the Protect Stop Date has occurred, then this attribute SHALL NOT be changed 852 or deleted beforemodified by the object is destroyedserver or the client. 853
Object EncodingProtect Stop Date Date-Time
Table 81: Protect Stop Date Attribute 854
SHALL always have a value No
Initially set by Server or Client
Modifiable by server Yes, only while in Pre-Active or Active state and as long as the Protect Stop Date has not been reached.
Modifiable by client Yes, only while in Pre-Active or Active state and as long as the Protect Stop Date has not been reached.
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Register, Derive Key, Re-key
Applies to Object Types Symmetric Keys, Split Keys of symmetric keys, Templates
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 57 of 176
Table 82: Protect Stop Date Attribute Rules 855
3.22 3.22 Deactivation Date 856
The Deactivation Date is the date and time when the Managed Cryptographic Object SHALL NOT be 857 used for any purpose, except for decryption, signature verification, or unwrapping, but only under 858 extraordinary circumstances and only when special permission is granted. This time corresponds to state 859 transition 6 (see Section 3.173.17 ). ThisOnce this transition has occurred, then this attribute SHALL NOT 860 be changedmodified by the server or deleted before the object is destroyed, unless the object is in the 861 Pre-Active or Active stateclient. 862
Object EncodingDeactivation Date Date-Time
Table 83: Deactivation Date Attribute 863
SHALL always have a value No
Initially set by Server or Client
Modifiable by server Yes, only while in Pre-Active or Active state
Modifiable by client Yes, only while in Pre-Active or Active state
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Revoke Certify, Re-certify, Re-key
Applies to Object Types All Cryptographic Objects, Templates
Table 84: Deactivation Date Attribute Rules 864
3.23 3.23 Destroy Date 865
The Destroy Date is the date and time when the Managed Object was destroyed. This time corresponds 866 to state transitions 2, 7, or 9 (see Section 3.173.17 ). This value is set by the server when the object is 867 destroyed due to the reception of a Destroy operation, or due to server policy or out-of-band 868 administrative action. 869
Object EncodingDestroy Date Date-Time
Table 85: Destroy Date Attribute 870
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 58 of 176
SHALL always have a value No
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Destroy
Applies to Object Types All Cryptographic Objects, Opaque Objects
Table 86: Destroy Date Attribute Rules 871
3.24 3.24 Compromise Occurrence Date 872
The Compromise Occurrence Date is the date and time when the Managed Cryptographic Object was 873 first believed to be compromised. If it is not possible to estimate when the compromise occurred, then this 874 value SHOULD be set to the Initial Date for the object. 875
Object EncodingCompromise Occurrence Date Date-Time
Table 87: Compromise Occurrence Date Attribute 876
SHALL always have a value No
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Revoke
Applies to Object Types All Cryptographic Objects, Opaque Object
Table 88: Compromise Occurrence Date Attribute Rules 877
3.25 3.25 Compromise Date 878
The Compromise Date is the date and time when the Managed Cryptographic Object entered into the 879 compromised state. This time corresponds to state transitions 3, 5, 8, or 10 (see Section 3.173.17 ). This 880 time indicates when the key management system was made aware of the compromise, not necessarily 881 when the compromise occurred. This attribute is set by the server when it receives a Revoke operation 882 with a Revocation Reason of Compromised, or due to server policy or out-of-band administrative action. 883
Object EncodingCompromise Date Date-Time
Table 89: Compromise Date Attribute 884
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 59 of 176
SHALL always have a value No
Initially set by Server
Modifiable by server No
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Revoke
Applies to Object Types All Cryptographic Objects, Opaque Object
Table 90: Compromise Date Attribute Rules 885
3.26 3.26 Revocation Reason 886
The Revocation Reason attribute is a structure (see Table 91Table 91Table 9188) used to indicate why 887 the Managed Cryptographic Object was revoked (e.g., “compromised”, “expired”, “no longer used”, etc). 888 This attribute is only changed by the server as a part of the Revoke Operation. 889
The Revocation Message is an OPTIONAL field that is used exclusively for audit trail/logging purposes 890 and MAY contain additional information about why the object was revoked (e.g., “Laptop stolen”, or 891 “Machine decommissioned”). 892
Object Encoding REQUIREDRevocation Reason Structure
Revocation Reason Code
Enumeration, see 9.1.3.2.189.1.3.2.18
Yes
Revocation Message Text String No
Table 91: Revocation Reason Attribute Structure 893
SHALL always have a value No
Initially set by Server
Modifiable by server Yes
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Revoke
Applies to Object Types All Cryptographic Objects, Opaque Object
Table 92: Revocation Reason Attribute Rules 894
3.27 3.27 Archive Date 895
The Archive Date is the date and time when the Managed Object was placed in archival storage. This 896 value is set by the server as a part of the Archive operation. The server SHALL delete thisThis attribute is 897 deleted whenever a Recover operation is performed. 898
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 60 of 176
Object EncodingArchive Date Date-Time
Table 93: Archive Date Attribute 899
SHALL always have a value No
Initially set by Server
Modifiable by server NoYes
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Archive
Applies to Object Types All Objects
Table 94: Archive Date Attribute Rules 900
3.28 3.28 Object Group 901
An object MAY be part of a group of objects. An object MAY belong to more than one group of objects. To 902 assign an object to a group of objects, the object group name SHOULD be set into this attribute. 903
Object EncodingObject Group Text String
Table 95: Object Group Attribute 904
SHALL always have a value No
Initially set by Client or Server
Modifiable by server Yes
Modifiable by client Yes
Deletable by client Yes
Multiple instances permitted Yes
When implicitly set Create, Create Key Pair, Register, Derive Key, Certify, Re-certify, Re-key
Applies to Object Types All Objects
Table 96: Object Group Attribute Rules 905
3.29 3.29 Link 906
The Link attribute is a structure (see Table 97Table 97Table 9794) used to create a link from one 907 Managed Cryptographic Object to another, closely related target Managed Cryptographic Object. The link 908 has a type, and the allowed types differ, depending on the Object Type of the Managed Cryptographic 909 Object, as listed below. The Linked Object Identifier identifies the target Managed Cryptographic Object 910 by its Unique Identifier. The link contains information about the association between the Managed 911 Cryptographic Objects (e.g., the private key corresponding to a public key; the parent certificate for a 912 certificate in a chain; or for a derived symmetric key, the base key from which it was derived). 913
Possible values of Link Type in accordance with the Object Type of the Managed Cryptographic Object 914 are: 915
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 61 of 176
• Private Key Link. For a Public Key object: the private key corresponding to the public key. 916
• Public Key Link. For a Private Key object: the public key corresponding to the private key. For a 917 Certificate object: the public key contained in the certificate. 918
• Certificate Link. For Certificate objects: the parent certificate for a certificate in a certificate chain. 919 For Public Key objects: the corresponding certificate(s), containing the same public key. 920
• Derivation Base Object Link for a derived Symmetric Key object: the object(s) from which the 921 current symmetric key was derived. 922
• Derived Key Link: the symmetric key(s) that were derived from the current object. 923
• Replacement Object Link. For a Symmetric Key object: the key that resulted from the re-key of 924 the current key. For a Certificate object: the certificate that resulted from the re-certify. Note that 925 there SHALL be only one such replacement object per Managed Object. 926
• Replaced Object Link. For a Symmetric Key object: the key that was re-keyed to obtain the 927 current key. For a Certificate object: the certificate that was re-certified to obtain the current 928 certificate. 929
The Link attribute SHOULD be present for private keys and public keys for which a certificate chain is 930 stored by the server, and for certificates in a certificate chain. 931
Note that it is possible for a Managed Object to have multiple instances of the Link attribute (e.g., a 932 Private Key has links to the associated certificate, as well as the associated public key; a Certificate 933 object has links to both the public key and to the certificate of the certification authority (CA) that signed 934 the certificate). 935
It is also possible that a Managed Object does not have links to associated cryptographic objects. This 936 MAY occur in cases where the associated key material is not available to the server or client (e.g., the 937 registration of a CA Signer certificate with a server, where the corresponding private key is held in a 938 different manner). 939
Object Encoding REQUIREDLink Structure
Link Type Enumeration, see Enumeration, see 9.1.3.2.199.1.3.2.19
Yes
Linked Object Identifier, see 3.1
Text String Yes
Table 97: Link Attribute Structure 940
SHALL always have a value No
Initially set by Client or Server
Modifiable by server Yes
Modifiable by client Yes
Deletable by client Yes
Multiple instances permitted Yes
When implicitly set Create Key Pair, Derive Key, Certify, Re-certify, Re-key
Applies to Object Types All Cryptographic Objects
Table 98: Link Attribute Structure Rules 941
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 62 of 176
3.30 3.30 Application Specific Information 942
The Application Specific Information attribute is a structure (see Table 99Table 99Table 9996) used to 943 store data specific to the application(s) using the Managed Object. It consists of the following fields: an 944 Application Namespace and Application Data specific to that application namespace. A list of standard 945 application namespaces is provided in [KMIP-Prof]. 946
Clients MAY request to set (i.e., using any of the operations that resultresults in generating new Managed 947 Object(s) on the server or adding/modifying the attribute of an existing Managed Object) an instance of 948 this attribute with a particular Application Namespace while omitting Application Data. In that case, if the 949 server supports this namespace (as indicated by the Query operation in Section 4.244.24 ), then it SHALL 950 return a suitable Application Data value. If the server does not support this namespace, then an error 951 SHALL be returned. 952
953
Object Encoding REQUIREDApplication Specific Information
Structure
Application Namespace
Text String Yes
Application Data Text String Yes
Table 99: Application Specific Information Attribute 954
955
SHALL always have a value No
Initially set by Client or Server (only if the Application Data is omitted, in the client request)
Modifiable by server Yes (only if the Application Data is omitted in the client request)
Modifiable by client Yes
Deletable by client Yes
Multiple instances permitted Yes
When implicitly set Re-key, Re-certify
Applies to Object Types All Objects
Table 100: Application Specific Information Attribute Rules 956
3.31 3.31 Contact Information 957
The Contact Information attribute is OPTIONAL, and its content is used for contact purposes only. It is not 958 used for policy enforcement. The attribute is set by the client or the server. 959
Object EncodingContact Information Text String
Table 101: Contact Information Attribute 960
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 63 of 176
SHALL always have a value No
Initially set by Client or Server
Modifiable by server Yes
Modifiable by client Yes
Deletable by client Yes
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Certify, Re-certify, Re-key
Applies to Object Types All Objects
Table 102: Contact Information Attribute Rules 961
3.32 3.32 Last Change Date 962
The Last Change Date attribute is a meta attribute that contains the date and time of the last change to 963 the contents or attributes of the specified object. 964
Object EncodingLast Change Date Date-Time
Table 103: Last Change Date Attribute 965
SHALL always have a value Yes
Initially set by Server
Modifiable by server Yes
Modifiable by client No
Deletable by client No
Multiple instances permitted No
When implicitly set Create, Create Key Pair, Register, Derive Key, Activate, Revoke, Destroy, Archive, Recover, Certify, Re-certify, Re-key, Add Attribute, Modify Attribute, Delete Attribute, Get Usage Allocation
Applies to Object Types All Objects
Table 104: Last Change Date Attribute Rules 966
3.33 3.33 Custom Attribute 967
A Custom Attribute is a client- or server-defined attribute intended for vendor-specific purposes. It is 968 created by the client and not interpreted by the server, or is created by the server and MAY be interpreted 969 by the client. All custom attributes created by the client SHALL adhere to a naming scheme, where the 970 name of the attribute SHALL have a prefix of 'x-'. All custom attributes created by the key management 971 server SHALL adhere to a naming scheme where the name of the attribute SHALL have a prefix of 'y-'. 972 The server SHALL NOT accept a client-created or modified attribute, where the name of the attribute has 973
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 64 of 176
a prefix of ‘y-‘. The tag type Custom Attribute is not able to identify the particular attribute; hence such an 974 attribute SHALL only appear in an Attribute Structure with its name as defined in Section 2.1.12.1.1 . 975
Object EncodingCustom Attribute Any data type or structure. If a
structure, then the structure SHALL NOT include sub structures
The name of the attribute SHALL start with 'x-' or 'y-'.
Table 105 Custom Attribute 976
SHALL always have a value No
Initially set by Client or Server
Modifiable by server Yes, for server-created attributes
Modifiable by client Yes, for client-created attributes
Deletable by client Yes, for client-created attributes
Multiple instances permitted Yes
When implicitly set Create, Create Key Pair, Register, Derive Key, Activate, Revoke, Destroy, Certify, Re-certify, Re-key
Applies to Object Types All Objects
Table 106: Custom Attribute Rules 977
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 65 of 176
4 4 Client-to-Server Operations 978
The following subsections describe the operations that MAY be requested by a key management client. 979 Not all clients have to be capable of issuing all operation requests; however any client that issues a 980 specific request SHALL be capable of understanding the response to the request. All Object Management 981 operations are issued in requests from clients to servers, and results obtained in responses from servers 982 to clients. MultipleThese operations MAY be combined withininto a batch, resultingwhich allows multiple 983 operations to be contained in a single request/response message pair. 984
A number of the operations whose descriptions follow are affected by a mechanism referred to as the ID 985 Placeholder. 986
The key management server SHALL implement a temporary variable called the ID Placeholder. This 987 value consists of a single Unique Identifier. It is a variable stored inside the server that is only valid and 988 preserved during the execution of a batch of operations. Once the batch of operations has been 989 completed, the ID Placeholder value SHALL beis discarded and/or invalidated by the server, so that 990 subsequent requests do not find this previous ID Placeholder available. 991
The ID Placeholder is obtained from the Unique Identifier returned in response to the Create, Create Pair, 992 Register, Derive Key, Re-Key, Certify, Re-Certify, Locate, and Recover operations. If any of these 993 operations successfully completes and returns a Unique Identifier, then the server SHALL copy this 994 Unique Identifier into the ID Placeholder variable, where it is held until the completion of the operations 995 remaining in the batched request or until a subsequent operation in the batch causes the ID Placeholder 996 to be replaced. If the Batch Error Continuation Option is set to Stop and the Batch Order Option is set to 997 true, then subsequent operations in the batched request MAY make use of the ID Placeholder by omitting 998 the Unique Identifier field from the request payloads for these operations. 999
Requests MAY contain attribute values to be assigned to the object. This information is specified with a 1000 Template-Attribute (see Section 2.1.82.1.8 ) that contains zero or more template names and zero or more 1001 individual attributes. If more than one template name is specified, and there is a conflict between the 1002 single-instance attributes in the templates, then the value in the last of the conflicting 1003 templatessubsequent template takes precedence. If there is a conflict between the single-instance 1004 attributes in the request and the single-instance attributes in a specified template, then the attribute 1005 values in the request take precedence. For multi-value attributes, the union of attribute values is used 1006 when the attributes are specified more than once. 1007
Responses MAY contain attribute values that were not specified in the request, but have been implicitly 1008 set by the server. This information is specified with a Template-Attribute that contains one or more 1009 individual attributes. 1010
For any operations that operate on Managed Objects already stored on the server, any archived object 1011 SHALL first be made available bymoved back on-line through a Recover operation (see Section 4.224.22 1012 ) before they MAY be specified (i.e., as on-line objects). 1013
4.1 4.1 Create 1014
This operation requests the server to generate a new symmetric key as a Managed Cryptographic Object. 1015 This operation is not used to create a Template object (see Register operation, Section 4.34.3 ). 1016
The request contains information about the type of object being created, and some of the attributes to be 1017 assigned to the object (e.g., Cryptographic Algorithm, Cryptographic Length, etc). This information MAY 1018 be specified by the names of Template objects that already exist. 1019
The response contains the Unique Identifier of the created object. The server SHALL copy the Unique 1020 Identifier returned by this operation into the ID Placeholder variable. 1021
Formatted: Space Before: 24 pt, Outlinenumbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0 pt + Tab after: 21.6 pt + Indent at: 21.6 pt, Page break before, Hyphenate, Don'tadjust space between Latin and Asian text,Border: Top: (Single solid line, Gray-50%, 0.5pt Line width, From text: 6 pt Border spacing:), Tab stops: Not at 0 pt
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 66 of 176
Request PayloadObject REQUIRED Description
Object Type, see Object Type, see 3.33.3
Yes Determines the type of object to be created.
Template-Attribute, see 2.1.82.1.8 Yes Specifies desired object attributes using templates and/or individual attributes.
Table 107: Create Request Payload 1022
Response PayloadObject REQUIRED Description
Object Type, see Object Type, see 3.33.3
Yes Type of object created.
Unique Identifier, see 3.1 3.13.1 Yes The Unique Identifier of the newly created object.
Template-Attribute, see 2.1.82.1.8 No An OPTIONAL list of object attributes with values that were not specified in the request, but have been implicitly set by the key management server.
Table 108: Create Response Payload 1023
Table 109Table 109Table 109106 indicates which attributes SHALL be included in the Create request 1024 using the Template-Attribute object. 1025
Attribute REQUIREDCryptographic Algorithm, see 3.43.4
Yes
Cryptographic Usage Mask, see 3.143.14
Yes
Table 109: Create Attribute Requirements 1026
4.2 4.2 Create Key Pair 1027
This operation requests the server to generate a new public/private key pair and register the two 1028 corresponding new Managed Cryptographic Objects. 1029
The request contains attributes to be assigned to the objects (e.g., Cryptographic Algorithm, 1030 Cryptographic Length, etc). Attributes and Template Names MAY be specified for both keys at the same 1031 time by specifying a Common Template-Attribute object in the request. Attributes not common to both 1032 keys (e.g., Name, Cryptographic Usage Mask) MAY be specified using the Private Key Template-Attribute 1033 and Public Key Template-Attribute objects in the request, which take precedence over the Common 1034 Template-Attribute object. 1035
A Link Attribute is automatically created by the server for each object, pointing to the corresponding 1036 object. The response contains the Unique Identifiers of both created objects. The ID Placeholder value 1037 SHALL be set to the Unique Identifier of the Private Key. 1038
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 42 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 67 of 176
Request PayloadObject REQUIRED Description
Common Template-Attribute, see 2.1.82.1.8
No Specifies desired attributes in templates and/or as individual attributes that apply to both the Private and Public Key Objects.
Private Key Template-Attribute, see 2.1.82.1.8
No Specifies templates and/or attributes that apply to the Private Key Object. Order of precedence applies.
Public Key Template-Attribute, see 2.1.82.1.8
No Specifies templates and/or attributes that apply to the Public Key Object. Order of precedence applies.
Table 110: Create Key Pair Request Payload 1039
For multi-instance attributes, the union of the values found in the templates and attributes of the 1040 Common, Private, and Public Key Template-Attribute is used. For single-instance attributes, the order of 1041 precedence is as follows: 1042
1. attributes specified explicitly in the Private and Public Key Template-Attribute, then 1043
2. attributes specified via templates in the Private and Public Key Template-Attribute, then 1044
3. attributes specified explicitly in the Common Template-Attribute, then 1045
4. attributes specified via templates in the Common Template-Attribute 1046
If there are multiple templates in the Common, Private, or Public Key Template-Attribute, then the last 1047 subsequent value of the single-instance attribute that conflict takes precedence. 1048
Response PayloadObject REQUIRED Description
Private Key Unique Identifier, see 3.13.1
Yes The Unique Identifier of the newly created Private Key object.
Public Key Unique Identifier, see 3.13.1
Yes The Unique Identifier of the newly created Public Key object.
Private Key Template-Attribute, see 2.1.82.1.8
No An OPTIONAL list of attributes, for the Private Key Object, with values that were not specified in the request, but have been implicitly set by the key management server.
Public Key Template-Attribute, see 2.1.82.1.8
No An OPTIONAL list of attributes, for the Public Key Object, with values that were not specified in the request, but have been implicitly set by the key management server.
Table 111: Create Key Pair Response Payload 1049
Table 112Table 112Table 112109 indicates which attributes SHALL be included in the Create Key pair 1050 request using Template-Attribute objects, as well as which attributes SHALL have the same value for the 1051 Private and Public Key. 1052
Field Code Changed
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 68 of 176
Attribute REQUIRED SHALL contain the same value for both Private and
Public Key Cryptographic Algorithm, see 3.43.4
Yes Yes
Cryptographic Length, see 3.53.5
NoYes Yes
Cryptographic Usage Mask, see 3.143.14
Yes No
Cryptographic Domain Parameters, see 3.73.7
No Yes
Cryptographic Parameters, see 3.63.6
No Yes
Table 112: Create Key Pair Attribute Requirements 1053
Setting the same Cryptographic Length value for both private and public key does not imply that both 1054 keys are of equal length. For RSA, Cryptographic Length corresponds to the bit length of the Modulus. 1055 For DSA and DH algorithms, Cryptographic Length corresponds to the bit length of parameter P, and the 1056 bit length of Q is set separately in the Cryptographic Domain Parameters attribute. For ECDSA, ECDH, 1057 and ECMQV algorithms, Cryptographic Length corresponds to the bit length of parameter Q. 1058
4.3 4.3 Register 1059
This operation requests the server to register a Managed Object that was created by the client or 1060 obtained by the client through some other means, allowing the server to manage the object. The 1061 arguments in the request are similar to those in the Create operation, but also MAY contain the object 1062 itself, for storage by the server. Optionally, objects that are not to be stored by the key management 1063 system MAY be omitted from the request (e.g., private keys). 1064
The request contains information about the type of object being registered and some of the attributes to 1065 be assigned to the object (e.g., Cryptographic Algorithm, Cryptographic Length, etc). This information 1066 MAY be specified by the use of a Template-Attribute object. 1067
The response contains the Unique Identifier assigned by the server to the registered object. The server 1068 SHALL copy the Unique Identifier returned by this operations into the ID Placeholder variable. The Initial 1069 Date attribute of the object SHALL be set to the current time. 1070
Request PayloadObject REQUIRED Description
Object Type, see Object Type, see 3.33.3
Yes Determines the type of object being registered.
Template-Attribute, see 2.1.82.1.8 Yes Specifies desired object attributes using templates and/or individual attributes.
Certificate, Symmetric Key, Private Key, Public Key, Split Key, Template Secret Data or Opaque Object, see 2.22.2
No The object being registered. The object and attributes MAY be wrapped. Some objects (e.g., Private Keys), MAY be omitted from the request.
Table 113: Register Request Payload 1071
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 69 of 176
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the newly registered object.
Template-Attribute, see 2.1.82.1.8 No An OPTIONAL list of object attributes with values that were not specified in the request, but have been implicitly set by the key management server.
Table 114: Register Response Payload 1072
If a Managed Cryptographic Object is registered, then the following attributes SHALL be included in the 1073 Register request, either explicitly, or via specification of a template that contains the attribute. 1074
Attribute REQUIREDCryptographic Algorithm, see 3.43.4
Yes, MAY be omitted only if this information is encapsulated in the Key Block. Does not apply to Secret Data. If present, then Cryptographic Length below SHALL also be present.
Cryptographic Length, see 3.53.5
Yes, MAY be omitted only if this information is encapsulated in the Key Block. Does not apply to Secret Data. If present, then Cryptographic Algorithm above SHALL also be present.
Cryptographic Usage Mask, see 3.143.14
Yes.
Table 115: Register Attribute Requirements 1075
4.4 4.4 Re-key 1076
This request is used to generate a replacement key for an existing symmetric key. It is analogous to the 1077 Create operation, except that attributes of the replacement key are copied from the existing key, with the 1078 exception of the attributes listed in Table 117Table 117Table 117114. 1079
As the replacement key takes over the name attribute of the existing key, Re-key SHOULD only be 1080 performed once on a given key. 1081
The server SHALL copy the Unique Identifier of the replacement key returned by this operation into the ID 1082 Placeholder variable. 1083
As a result of Re-key, the Link attribute of the existing key is set to point to the replacement key and vice 1084 versa. 1085
An Offset MAY be used to indicate the difference between the Initialization Date and the Activation Date 1086 of the replacement key. If no Offset is specified, the Activation Date, Process Start Date, Protect Stop 1087 Date and Deactivation Date values are copied from the existing key. If Offset is set and dates exist for the 1088 existing key, then the dates of the replacement key SHALL be set based on the dates of the existing key 1089 as follows: 1090
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: Do not check spelling or grammar
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 70 of 176
Attribute in Existing Key Attribute in Replacement KeyInitial Date (IT1) Initial Date (IT2) > IT1
Activation Date (AT1) Activation Date (AT2) = IT2+ Offset
Process Start Date (CT1) Process Start Date = CT1+(AT2- AT1)
Protect Stop Date (TT1) Protect Stop Date = TT1+(AT2- AT1)
Deactivation Date (DT1) Deactivation Date = DT1+(AT2- AT1)
Table 116: Computing New Dates from Offset during Re-key 1091
Attributes that are not copied from the existing key and are handled in a specific way for the replacement 1092 key are: 1093
Attribute ActionInitial Date, see Initial Date, see 3.183.18
Set to the current time
Destroy Date, see Destroy Date, see 3.233.23
Not set
Compromise Occurrence Date, see 3.243.24
Not set
Compromise Date, see 3.253.25
Not set
Revocation Reason, see 3.263.26
Not set
Unique Identifier, see 3.13.1
New value generated
Usage Limits, see Usage Limits, see 3.163.16
The Total Bytes/Total Objects value is copied from the existing key, andwhile the Byte Count value is/Object Count values are set to the Total value.Bytes/Total Objects.
Name, see Name, see 3.23.2
Set to the name(s) of the existing key; all name attributes are removed fromof the existing key. are removed.
State, see State, see 3.173.17
Set based on attributes values, such as dates, as shown in Table 116Table 116Table 116113
Digest, see Digest, see 3.123.12
Recomputed from the replacementnew key value
Link, see Link, see 3.293.29
Set to point to the existing key as the replaced key
Last Change Date, see 3.323.32
Set to current time
Field Code Changed
Formatted: Font: 10 pt
Formatted: Font: 10 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 71 of 176
Table 117: Re-key Attribute Requirements 1094
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the existing Symmetric Key being re-keyed. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier..
Offset No An Interval object indicating the difference between the Initialization Date and the Activation Date of the replacement key to be created.
Template-Attribute, see 2.1.82.1.8 No Specifies desired object attributes using templates and/or individual attributes.
Table 118: Re-key Request Payload 1095
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the newly-created replacement Symmetric Key.
Template-Attribute, see 2.1.82.1.8 No An OPTIONAL list of object attributes with values that were not specified in the request, but have been implicitly set by the key management server.
Table 119: Re-key Response Payload 1096
4.5 4.5 Derive Key 1097
This request is used to derive a symmetric key or Secret Data object from using a key or secret data that 1098 is already known to the key management system. The requestIt SHALL only apply to Managed 1099 Cryptographic Objects that have the Derive Key bit set in the Cryptographic Usage Mask attribute of the 1100 specified Managed Object (i.e., are able to be used for key derivation). If the operation is issued for an 1101 object that does not have this bit set, then the server SHALL return an error. For all derivation methods, 1102 the client SHALL specify the desired length of the derived key or Secret Data object secret using the 1103 Cryptographic Length attribute. If a key is created, then the client SHALL specify both its Cryptographic 1104 Length and Cryptographic Algorithm. If the specified length exceeds the output of the derivation method, 1105 then the server SHALL return an error. Clients MAY derive multiple keys and IVs by requesting the 1106 creation of a Secret Data object and specifying a Cryptographic Length that is the total length of the 1107 derived object. The length SHALL NOT exceed the length of the output returned by the chosen derivation 1108 method. 1109
The fields in the request specify the Unique Identifiers of the keys or Secret Data objectssecrets to be 1110 used for derivation (e.g., some derivation methods MAY require multiple keys or Secret Data 1111 objectssecrets to derive the result), the method to be used to perform the derivation, and any parameters 1112 needed by the specified method. The method is specified as an enumerated value. Currently defined 1113 derivation methods include: 1114
• PBKDF2 – This method is used to derive a symmetric key from a password or pass phrase. The 1115 PBKDF2 method is published in [PKCS#5] and [RFC2898]. 1116
• HASH – This method derives a key by computing a hash over the derivation key or the derivation 1117 data. 1118
Field Code Changed
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 72 of 176
• HMAC – This method derives a key by computing an HMAC over the derivation data. 1119
• ENCRYPT – This method derives a key by encrypting the derivation data. 1120
• NIST800-108-C – This method derives a key by computing the KDF in Counter Mode as specified 1121 in [SP800-108]. 1122
• NIST800-108-F – This method derives a key by computing the KDF in Feedback Mode as 1123 specified in [SP800-108]. 1124
• NIST800-108-DPI – This method derives a key by computing the KDF in Double-Pipeline Iteration 1125 Mode as specified in [SP800-108]. 1126
• Extensions 1127
The server SHALL perform the derivation function, and then register the derived object as a new 1128 Managed Object, returning the new Unique Identifier for the new object in the response. The server 1129 SHALL copy the Unique Identifier returned by this operation into the ID Placeholder variable. 1130
As a result of Derive Key, the Link attributes (i.e., Derived Key Link in the objects from which the key is 1131 derived, and the Derivation Base Object Link in the derived key) of all objects involved SHALL be set to 1132 point to the corresponding objects. 1133
Request PayloadObject REQUIRED Description
Object Type, see Object Type, see 3.33.3
Yes Determines the type of object to be created.
Unique Identifier, see 3.13.1 Yes. MAY be repeated
Determines the object or objects to be used to derive a new key. At most, two identifiers MAY be specified: one for the derivation key and another for the secret data. Note that the current value of the ID Placeholder SHALL NOT be used in place of a Unique Identifier in this operation.here.
Derivation Method, see Derivation Method, see 9.1.3.2.209.1.3.2.20
Yes An Enumeration object specifying the method to be used to derive the new key.
Derivation Parameters, see below Yes A Structure object containing the parameters needed by the specified derivation method.
Template-Attribute, see 2.1.82.1.8 Yes Specifies desired object attributes using templates and/or individual attributes; the length and algorithm SHALL always be specified for the creation of a symmetric key.
Table 120: Derive Key Request Payload 1134
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 73 of 176
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the newly derived key or Secret Data object..
Template-Attribute, see 2.1.82.1.8 No An OPTIONAL list of object attributes with values that were not specified in the request, but have been implicitly set by the key management server.
Table 121: Derive Key Response Payload 1135
The Derivation Parameters for all derivation methods consist of the following parameters, except 1136 PBKDF2, which requires two additional parameters. 1137
Object Encoding REQUIREDDerivation Parameters Structure Yes
Cryptographic Parameters, see 3.63.6
Structure Yes, except for HMAC derivation keys.
Initialization Vector Byte String No, depends on PRF and mode of operation: empty IV is assumed if not provided.
Derivation Data Byte String Yes, unless the Unique Identifier of a Secret Data object is provided.
Table 122: Derivation Parameters Structure (Except PBKDF2) 1138
Cryptographic Parameters identify the Pseudorandom Function (PRF) or the mode of operation of the 1139 PRF (e.g., if a key is to be derived using the HASH derivation method, then clients are REQUIRED to 1140 indicate the hash algorithm inside Cryptographic Parameters; similarly, if a key is to be derived using AES 1141 in CBC mode, then clients are REQUIRED to indicate the Block Cipher Mode). The server SHALL verify 1142 that the specified mode matches one of the instances of Cryptographic Parameters set for the 1143 corresponding key. If Cryptographic Parameters are omitted, then the server SHALL select the 1144 Cryptographic Parameters with the lowest Attribute Index for the specified key. If the corresponding key 1145 does not have any Cryptographic Parameters attribute, or if no match is found, then an error is returned. 1146
If a key is derived using HMAC, then the attributes of the derivation key provide enough information about 1147 the PRF and the Cryptographic Parameters are ignored. 1148
Derivation Data is either the data to be encrypted, hashed, or HMACed. For the NIST SP 800-108 1149 methods [SP800-108], Derivation Data is Label||{0x00}||Context, where the all-zero byte is OPTIONAL. 1150
Most derivation methods (e.g., ENCRYPT) require a derivation key and the derivation data to be 1151 usedencrypted. The HASH derivation method requires either a derivation key or derivation data. 1152 Derivation data MAY either be explicitly provided by the client with the Derivation Data field or implicitly 1153 provided by providing the Unique Identifier of a Secret Data object. If both are provided, then an error 1154 SHALL be returned. 1155
The PBKDF2 derivation method requires two additional parameters: 1156
Object Encoding REQUIREDDerivation Parameters Structure Yes
Cryptographic Parameters, see
Structure No, depends on the PRF.
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 74 of 176
3.63.6
Initialization Vector Byte String No, depends on the PRF (if different than those defined in [PKCS#5]) and mode of operation: an empty IV is assumed if not provided.
Derivation Data Byte String Yes, unless the Unique Identifier of a Secret Data object is provided.
Salt Byte String Yes
Iteration Count Integer Yes
Table 123: PBKDF2 Derivation Parameters Structure 1157
4.6 4.6 Certify 1158
This request is used to generate a Certificate object for a public key. This request supports certification of 1159 a new public key as well as certification of a public key that has already been certified (i.e., certificate 1160 update). Only a single certificate SHALL be requested at a time. Server support for this operation is 1161 OPTIONAL, as it requires that the key management system have access to a certification authority (CA). 1162 If the server does not support this operation, an error SHALL be returned. 1163
The Certificate Requests isare passed as a Byte Strings, which allows multiple certificate request types 1164 for X.509 certificates (e.g., PKCS#10, PEM, etc) or PGP certificates to be submitted to the server. 1165
The generated Certificate object whose Unique Identifier is returned MAY be obtained by the client via a 1166 Get operation in the same batch, using the ID Placeholder mechanism. 1167
As a result of Certify, the Link attribute of the Public Key and of the generated certificate SHALL be set to 1168 point at each other. 1169
The server SHALL copy the Unique Identifier of the generated certificate returned by this operation into 1170 the ID Placeholder variable. 1171
If the information in the Certificate Request conflicts with the attributes specified in the Template-Attribute, 1172 then the information in the Certificate Request takes precedence. 1173
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No The Unique Identifier of the Public Key being certified. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier..
Certificate Request Type, see 9.1.3.2.219.1.3.2.21
Yes An Enumeration object specifying the type of certificate request.
Certificate Request Yes A Byte String object with the certificate request.
Template-Attribute, see 2.1.82.1.8 No Specifies desired object attributes using templates and/or individual attributes.
Table 124: Certify Request Payload 1174
Formatted: Normal, Don't adjust spacebetween Latin and Asian text
Formatted: Font: 12 pt
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 75 of 176
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the generated Certificate object.
Template-Attribute, see 2.1.82.1.8 No An OPTIONAL list of object attributes with values that were not specified in the request, but have been implicitly set by the key management server.
Table 125: Certify Response Payload 1175
4.7 4.7 Re-certify 1176
This request is used to renew an existing certificate forwith the same key pair. Only a single certificate 1177 SHALL be renewed at a time. Server support for this operation is OPTIONAL, as it requires that the key 1178 management system to have access to a certification authority (CA). If the server does not support this 1179 operation, an error SHALL be returned. 1180
The Certificate Request isRequests are passed as a Byte Strings, which allows multiple certificate 1181 request types for X.509 certificates (e.g., PKCS#10, PEM, etc) or PGP certificates to be submitted to the 1182 server. 1183
The server SHALL copy the Unique Identifier of the new certificate returned by this operation into the ID 1184 Placeholder variable. 1185
If the information in the Certificate Request field in the request conflicts with the attributes specified in the 1186 Template-Attribute, then the information in the Certificate Request takes precedence. 1187
As the new certificate takes over the name attribute of the existing certificate, Re-certify SHOULD only be 1188 performed once on a given (existing) certificate. 1189
The Link attribute of the existing certificate and of the new certificate are set to point at each other. The 1190 Link attribute of the Public Key is changed to point to the new certificate. 1191
An Offset MAY be used to indicate the difference between the Initialization Date and the Activation Date 1192 of the new certificate. If Offset is set, then the dates of the new certificate SHALL be set based on the 1193 dates of the existing certificate (if such dates exist) as follows: 1194
Attribute in Existing Certificate Attribute in New CertificateInitial Date (IT1) Initial Date (IT2) > IT1
Activation Date (AT1) Activation Date (AT2) = IT2+ Offset
Deactivation Date (DT1) Deactivation Date = DT1+(AT2- AT1)
Table 126: Computing New Dates from Offset during Re-certify 1195
Attributes that are not copied from the existing certificate and that are handled in a specific way for the 1196 new certificate are: 1197
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 76 of 176
Attribute ActionInitial Date, see Initial Date, see 3.183.18
Set to current time
Destroy Date, see Destroy Date, see 3.233.23
Not set
Revocation Reason, see 3.263.26
Not set
Unique Identifier, see 3.23.2
New value generated
Name, see Name, see 3.23.2
Set to the name(s) of the existing certificate; all name attributes are removed fromof the existing certificate. are removed.
State, see State, see 3.173.17
Set based on attributes values, such as dates, as shown in Table 126Table 126Table 126123
Digest, see Digest, see 3.123.12
Recomputed from the new certificate value.
Link, see Link, see 3.293.29
Set to point to the existing certificate as the replaced certificate.
Last Change Date, see 3.323.32
Set to current time
Table 127: Re-certify Attribute Requirements 1198
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No The Unique Identifier of the Certificate being renewed. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier.
Certificate Request Type, see 9.1.3.2.219.1.3.2.21
Yes An Enumeration object specifying the type of certificate request.
Certificate Request Yes A Byte String object with the certificate request.
Offset No An Interval object indicating the difference between the Initialization Time of the new certificate and the Activation Date of the new certificate.
Template-Attribute, see 2.1.82.1.8 No Specifies desired object attributes using templates and/or individual attributes.
Table 128: Re-certify Request Payload 1199
Formatted: Font: 10 pt
Formatted: Font: 10 pt
Field Code Changed
Formatted: Font: Not Italic
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 77 of 176
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the new certificate.
Template-Attribute, see 2.1.82.1.8 No An OPTIONAL list of object attributes with values that were not specified in the request, but have been implicitly set by the key management server.
Table 129: Re-certify Response Payload 1200
4.8 4.8 Locate 1201
This operation requests that the server search for one or more Managed Objects depending on the 1202 attributes specified in the request, specified by one or more attributes. All attributes are allowed to be 1203 used. However, no attributes specified in the request SHOULD contain Attribute Index values SHOULD 1204 NOT be specified in the request. Attribute Index values that are provided SHALL be ignored by the Locate 1205 operation. The request MAY also contain a Maximum Items field, which specifies the maximum number of 1206 objects to be returned. If the Maximum Items field is omitted, then the server MAY return all objects 1207 matched, or MAY impose an internal maximum limit due to resource limitations. 1208
If more than one object satisfies the identification criteria specified in the request, then the response MAY 1209 contain Unique Identifiers for multiple Managed Objects. Returned objects SHALL match all of the 1210 attributes in the request. If no objects match, then an empty response payload is returned. If no attribute 1211 is specified in the request, any object SHALL be deemed to match the Locate request. 1212
The server returns a list of Unique Identifiers of the found objects, which then MAY be retrieved using the 1213 Get operation. If the objects are archived, then the Recover and Get operations are REQUIRED to be 1214 used to obtain those objects. If a single Unique Identifier is returned to the client, then the server SHALL 1215 copy the Unique Identifier returned by this operation into the ID Placeholder variable. If the Locate 1216 operation matches more than one object, and the Maximum Items value is omitted in the request, or is set 1217 to a value larger than one, then the server SHALL empty NOT set the ID Placeholder value, causing any 1218 subsequent operations that are batched with the Locate, and which do not specify a Unique Identifier 1219 explicitly, to fail. This ensures that these batched operations SHALL proceed only if a single object is 1220 returned by Locate. 1221
WildWhen using the Name or Object Group attributes for identification, wild-cards or regular expressions 1222 (defined, e.g., in [ISO/IEC 9945-2ISO/IEC 9945-2]) MAY be supported by specific key management 1223 system implementations for matching attribute fields when the field type is a Text String or a Byte String. 1224
The Date attributes in the Locate request (e.g., Initial Date, Activation Date, etc) are used to specify a 1225 time or a time range for the search. If a single instance of a given Date attribute is used in the request 1226 (e.g., the Activation Date), then objects with the same Date attribute are considered to be matching 1227 candidate objects. If two instances of the same Date attribute are used (i.e., with two different values 1228 specifying a range), then objects for which the Date attribute is inside or at a limit of the range are 1229 considered to be matching candidate objects. If a Date attribute is set to its largest possible value, then it 1230 is equivalent to an undefined attribute. The KMIP Usage Guide [KMIP-UG] provides examples. 1231
When the Cryptographic Usage Mask attribute is specified in the request, candidate objects are 1232 compared against this field via an operation that consists of a logical AND of the requested mask with the 1233 mask in the candidate object, and then a comparison of the resulting value with the requested mask. For 1234 example, if the request contains a mask value of 10001100010000, and a candidate object mask contains 1235 10000100010000, then the logical AND of the two masks is 10000100010000, which is compared against 1236 the mask value in the request (10001100010000) and the match fails the match. This means that a 1237 matching candidate object has all of the bits set in its mask that are set in the requested mask, butand 1238 MAY have additional bits set. 1239
When the Usage Allocation attribute is specified in the request, matching candidate objects SHALL have 1240
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: Font: Not Bold
Formatted: Font: Not Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 78 of 176
an Object or Byte Count and Total Objects or Bytes equal to or larger than the values specified in the 1241 request. 1242
When an attribute that is defined as a structure is specified, all of the structure fields are not REQUIRED 1243 to be specified. For instance, for the Link attribute, if the Linked Object Identifier value is specified without 1244 the Link Type value, then matching candidate objects have the Linked Object Identifier as specified, 1245 irrespective of their Link Type. 1246
The Storage Status Mask field (see Section 9.1.3.3.29.1.3.3.2 ) is used to indicate whether only on-line 1247 objects, only archived objects, or both on-line and archived objects are to be searched. Note that the 1248 server MAY store attributes of archived objects in order to expedite Locate operations that search through 1249 archived objects. 1250
Request PayloadObject REQUIRED Description
Maximum Items No An Integer object that indicates the maximum number of object identifiers the server MAYSHALL return.
Storage Status Mask, see 9.1.3.3.29.1.3.3.2
No An Integer object (used as a bit mask) that indicates whether only on-line objects, only archived objects, or both on-line and archived objects are to be searched. If omitted, then on-line only is assumed.
Attribute, see Attribute, see 33 NoYes, MAY be repeated
Specifies an attribute and its value(s) that are REQUIRED to match those in a candidatethe desired object (according to the matching rules defined above)..
Table 130: Locate Request Payload 1251
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No, MAY be repeated
The Unique Identifier of the located objects.
Table 131: Locate Response Payload 1252
4.9 4.9 Check 1253
This operation requests that the server check for the use of a Managed Object according to values 1254 specified in the request. This operation SHOULD only be used when placed in a batched set of 1255 operations, usually following a Locate, Create, Create Pair, Derive Key, Certify, Re-Certify or Re-Key 1256 operation, and followed by a Get operation. The Unique Identifier field in the request MAY be omitted if 1257 the operation is in a batched set of operations and follows an operation that sets the ID Placeholder 1258 variable. 1259
If the server determines that the client is allowed to use the object according to the specified attributes, 1260 then the server returns the Unique Identifier of the object. 1261
If the server determines that the client is not allowed to use the object according to the specified 1262 attributes, then the server emptiesinvalidates the ID Placeholder value and does not return the Unique 1263 Identifier, and the operation returns the set of attributes specified in the request that caused the server 1264 policy denial. The only attributes returned are those that resulted in the server determining that the client 1265 is not allowed to use the object, thus allowing the client to determine how to proceed. The operation also 1266 returns a failure, and the server SHALL ignore any subsequent operations in the batch. 1267
Field Code Changed
Formatted: No bullets or numbering,Widow/Orphan control, Hyphenate, Don't adjustspace between Latin and Asian text, Tab stops:Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 79 of 176
The additional objects that MAY be specified in the request are limited to: 1268
• Usage Limits Byte Count or Usage Limits Object Count (see Section 3.163.16 ) – The request 1269 MAY contain the usage amount that the client deems necessary to complete its needed function. 1270 This does not require that any subsequent Get Usage Allocation operations request this amount. 1271 It only means that the client is ensuring that the amount specified is available. 1272
• Cryptographic Usage Mask – This is used to specify the cryptographic operations for which the 1273 client intends to use the object (see Section 3.143.14 ). This allows the server to determine if the 1274 policy allows this client to perform these operations with the object. Note that this MAY be a 1275 different value from the one specified in a Locate operation that precedes this operation. Locate, 1276 for example, MAY specify a Cryptographic Usage Mask requesting a key that MAY be used for 1277 both Encryption and Decryption, but the value in the Check operation MAY specify that the client 1278 is only using the key for Encryption at this time. 1279
• Lease Time – This specifies a desired lease time (see Section 3.153.15 ). The client MAY use 1280 this to determine if the server allows the client to use the object with the specified lease or longer. 1281 Including this attribute in the Check operation does not actually cause the server to grant a lease, 1282 but only indicates that the requested lease time value MAY be granted if requested by a 1283 subsequent, batched, Obtain Lease operation. 1284
Note that these objects are not encoded in an Attribute structure as shown in Section 2.1.12.1.1 1285
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the object being checked. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier..
Usage Limits Byte Count, see 3.163.16
No Specifies the number of Usage Limits Unitsbytes to be protected to be checked against server policy. SHALL NOT be present if Usage Limits Object Count is present.
Cryptographic Usage Mask, see Usage Limits Object Count, see 3.163.1416
No Specifies the Cryptographic Usage for which the client intends to use the object.Specifies the number of objects to be protected to be checked against server policy. SHALL NOT be present if Usage Limits Byte Count is present.
Lease Time, see Cryptographic Usage Mask, see 3.143.1514
No Specifies a Lease Time value that the Client is asking the server to validate against server policy.Specifies the Cryptographic Usage for which the client intends to use the object.
Lease Time, see 3.153.15 No Specifies a Lease Time value that the Client is asking the server to validate against server policy.
Table 132: Check Request Payload 1286
Field Code Changed
Formatted: Font: 12 pt
Formatted
Field Code Changed
Formatted
Formatted: Don't keep with next
Field Code Changed
Formatted: Keep with next
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 80 of 176
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.1Object YesREQUIRED
The Unique Identifier of the object.Description
Usage Limits Count, see Unique Identifier, see 3.13.161
NoYes Returned by the Server if the Usage Limits value specified in the Request Payload is larger than the value that the server policy allows.The Unique Identifier of the object.
Cryptographic Usage Mask, see Usage Limits Byte Count, see 3.163.1416
No Returned by the Server if the Cryptographic Usage MaskLimits value specified in the Request Payload is rejected bylarger than the value that the server for policy violation.allows. SHALL NOT be present if Usage Limits Object Count is present.
Lease Time, see Usage Limits Object Count, see 3.163.1516
No Returned by the Server if the Lease TimeUsage Limits value specified in the Request Payload is larger than a valid Lease Timethe value that the server MAY grant.policy allows. SHALL NOT be present if Usage Limits Byte Count is present.
Cryptographic Usage Mask, see 3.143.14
No Returned by the Server if the Cryptographic Usage Mask specified in the Request Payload is rejected by the server for policy violation.
Lease Time, see 3.153.15 No Returned by the Server if the Lease Time value in the Request Payload is larger than a valid Lease Time that the server MAY grant.
Table 133: Check Response Payload 1287
The encodings of the Usage limits Byte and Object Counts is as shown in Section 3.163.16 1288
4.10 4.10 Get 1289
This operation requests that the server returns the Managed Object specified in the request by its Unique 1290 Identifier. The Unique Identifier field in the request MAY be omitted if the Get operation is in a batched set 1291 of operations and follows an operation that sets the ID Placeholder variable. 1292
Only a single object is returned. The response contains the Unique Identifier of the object, along with the 1293 object itself, which MAY be wrapped using a wrapping key as specified in the request. 1294
The following key format capabilities SHALL be assumed by the client restrictions apply when the client 1295 requestsrequesting the server to return an object in a particular format: 1296
• If a client registeredregisters a key in a given format, the server SHALL be able to return the key 1297 during the Get operation in theat least that same format that was used when the keyas it was 1298 registered. 1299
• Any other format conversion MAY optionally be supported by the server. 1300
1301
Formatted: Table Contents, Don't adjust spacebetween Latin and Asian text
Formatted Table
Formatted: Table Contents
Formatted: Don't keep with next
Formatted: Font:
Field Code Changed
Formatted: Font:
Formatted: Font:
Formatted: Font:
Formatted
Field Code Changed
Formatted
Formatted
Formatted
Formatted
Formatted
Formatted
Field Code Changed
Formatted: Keep with next
Formatted
Formatted
Formatted
Formatted
Formatted: No bullets or numbering,Widow/Orphan control, Hyphenate, Don't adjustspace between Latin and Asian text, Tab stops:Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 81 of 176
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the object being requested. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier..
Key Format Type, see Key Format Type, see 9.1.3.2.39.1.3.2.3
No Determines the key format type to be returned
Key Compression Type, see 9.1.3.2.29.1.3.2.2
No Determines the compression method for elliptic curve public keys
Key Wrapping Specification, see 2.1.62.1.6
No Specifies keys and other information for wrapping the returned object. This field SHALL NOT be specified if the requested object is a Template.
Table 134: Get Request Payload 1302
Response PayloadObject REQUIRED Description
Object Type, see Object Type, see 3.33.3
Yes Type of object
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object
Certificate, Symmetric Key, Private Key, Public Key, Split Key, Template, Secret Data, or Opaque Object, see 2.22.2
Yes The cryptographic object being returned
Table 135: Get Response Payload 1303
4.11 4.11 Get Attributes 1304
This operation requestsreturns one or more attributes of a Managed Object. The object is specified by its 1305 Unique Identifier and the attributes are specified by their name in the request. If a specified attribute has 1306 multiple instances, then all instances are returned. If a specified attribute does not exist (i.e., has no 1307 value), then it SHALL NOT be present in the returned response. If no requested attributes exist, then the 1308 response SHALL consist only of the Unique Identifier. If no attribute name is specified in the request, all 1309 attributes SHALL be deemed to match the 1310
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the object whose attributes are being requested. If omitted, then the ID Placeholder is substituted by the server.
Attribute Name, see 2.1.12.1.1 Yes, MAY be repeated
Specifies a desired attribute of the object
Table 136: Get Attributes requestRequest Payload 1311
Field Code Changed
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 82 of 176
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object
Attribute, see 2.1.12.1.1 No, MAY be repeated
The requested attribute for the object
Table 137: Get Attributes Response Payload 1312
1.1 Get Attribute List 1313
This operation returns a list of the attribute names associated with a Managed Object. The object is 1314 specified by its Unique Identifier. 1315
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the object whose attributesattribute names are being requested. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier.
Attribute Name, see 2.1.1 No, MAY be repeated
Specifies a desired attribute of the object
Table 138: Get AttributesAttribute List Request Payload 1316
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object
Attribute, see Attribute Name, see 2.1.12.1.1
NoYes, MAY be repeated
The requested attribute names for the object
Table 139: Get Attributes Response Payload 1317
4.12 Get Attribute List 1318
This operation requests a list of the attribute names associated with a Managed Object. The object is 1319 specified by its Unique Identifier. 1320
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.1 No Determines the object whose attribute names are being requested. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
Table 140: Get Attribute List Request Payload 1321
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.1 Yes The Unique Identifier of the object
Attribute Name, see 2.1.1 Yes, MAY be The names of the available attributes
Formatted: Keep with next, Don't adjust spacebetween Latin and Asian text
Field Code Changed
Formatted: Don't keep with next
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 83 of 176
repeated for the object
Table 141: Get Attribute List Response Payload 1322
4.12 4.13 Add Attribute 1323
This request adds a new attribute instance to a Managed Object and sets its value. The request contains 1324 the Unique Identifier of the Managed Object to which the attribute pertains, along with and the attribute 1325 name and value. For non- multi-instance attributes, this is how the attribute value isthey are created. For 1326 multi-instance attributes, this is how the first and subsequent values are created. Existing attribute values 1327 SHALL only be changed by the Modify Attribute operation. Read-Only attributes SHALL NOT be added 1328 using the Add Attribute operation. No Attribute Index SHALL be specified in the request. The response 1329 returns a new Attribute Index, although the Attribute Index MAY be omitted if the index of theattribute 1330 being added attribute instance is 0is allowed to have multiple instances. Multiple Add Attribute requests 1331 MAY be included in a single batched request to add multiple attributes. 1332
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No The Unique Identifier of the object. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier.
Attribute, see Attribute, see 2.1.12.1.1
Yes Specifies the attribute of the object to be added for the object.
Table 142: Add Attribute Request Payload 1333
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object
Attribute, see 2.1.12.1.1 Yes The added attribute
Table 143: Add Attribute Response Payload 1334
4.13 4.14 Modify Attribute 1335
This request modifies the value of an existing attribute instance associated with a Managed Object. The 1336 request contains the Unique Identifier of the Managed Object whose attribute is to be modified, and the 1337 attribute name, OPTIONAL Attribute Index, and the new value. Only existing attributes MAY be changed 1338 via this operation. New attributes SHALL only be added by the Add Attribute operation. Read-Only 1339 attributes SHALL NOT be changed using this operation. If an Attribute Index is specified, then only the 1340 specified instance of the attribute is modified. If the attribute has multiple instances, and no Attribute 1341 Index is specified in the request, then the Attribute Index is assumed to be 0. If the attribute does not 1342 support multiple instances, then the Attribute Index SHALL NOT be specified. Specifying an Attribute 1343 Index for which there exists no Attribute Value SHALL result in an error. 1344
Request Payload Object REQUIRED Description
Unique Identifier, see 3.13.1 No The Unique Identifier of the object. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier.
Attribute, see Attribute, see Yes Specifies the attribute of the object to
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Field Code Changed
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 84 of 176
2.1.12.1.1 be modified.
Table 144: Modify Attribute Request Payload 1345
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object
Attribute, see 2.1.12.1.1 Yes The modified attribute
Table 145: Modify Attribute Response Payload 1346
4.14 4.15 Delete Attribute 1347
This request deletes an attribute associated with a Managed Object. The request contains the Unique 1348 Identifier of the Managed Object whose attribute is to be deleted, the attribute name, and optionally the 1349 Attribute Index of the attribute. Attributes thatREQUIRED attributes and Read-Only attributes SHALL 1350 always have a value SHALL neverNOT be deleted by this operation. If no Attribute Index is specified, and 1351 the Attribute whose name is specified has multiple instances, then the operation is rejected. Note that 1352 only a single attribute instance SHALL be deleted at a time. Multiple delete operations (e.g., possibly 1353 batched) are necessary to delete several attribute instancesattributes. Attempting to delete a non-existent 1354 attribute or specifying an Attribute Index for which there exists no Attribute Value SHALL result in an 1355 error. 1356
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the object whose attributes are being deleted. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier.
Attribute Name, see Attribute Name, see 2.1.12.1.1
Yes Specifies the name of the attribute to be deleted.
Attribute Index, see Attribute Index, see 2.1.12.1.1
No Specifies the Index of the Attribute.
Table 146: Delete Attribute Request Payload 1357
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object
Attribute, see Attribute, see 2.1.12.1.1
Yes The deleted attribute
Table 147: Delete Attribute Response Payload 1358
4.15 4.16 Obtain Lease 1359
This request is used to obtain a new Lease Time for a specified Managed Object. The Lease Time is an 1360 interval value that determines when the client's internal cache of information about the object expires and 1361 needs to be renewed. If the returned value of the lease time is zero, then the server is indicating that no 1362 lease interval is effective, and the client MAY use the object without any lease time limit. If a client's lease 1363 expires, then the client SHALL NOT use the associated cryptographic object until a new lease is 1364
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Field Code Changed
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 85 of 176
obtained. If the server determines that a new lease SHALL NOT be issued for the specified cryptographic 1365 object, then the server SHALL respond to the Obtain Lease request with an error. 1366
The response payload for the operation also contains the current value of the Last Change Date attribute 1367 for the object. This MAY be used by the client to determine if any of the attributes cached by the client 1368 need to be refreshed, by comparing this time to the time when the attributes were previously obtained. 1369
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the object for which the lease is being obtained. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier.
Table 148: Obtain Lease Request Payload 1370
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object.
Lease Time, see Lease Time, see 3.153.15
Yes An interval (in seconds) that specifies the amount of time that the object MAY be used until a new lease needs to be obtained.
Last Change Date, see 3.323.32 Yes The date and time indicating when the latest change was made to the contents or any attribute of the specified object.
Table 149: Obtain Lease Response Payload 1371
4.16 4.17 Get Usage Allocation 1372
This request is used to obtain an allocation from the current Usage Limits valuevalues to allow the client 1373 to use the Managed Cryptographic Object for applying cryptographic protection. The allocation only 1374 applies to Managed Cryptographic Objects that are able to be used for applying protection (e.g., 1375 symmetric keys for encryption, private keys for signing, etc.) and is only valid if the Managed 1376 Cryptographic Object has a Usage Limits attribute. Usage for processing cryptographically-protected 1377 information (e.g., decryption, verification, etc.) is not limited and is not able to be allocated. A Managed 1378 Cryptographic Object that has a Usage Limits attribute SHALL NOT be used by a client for applying 1379 cryptographic protection unless an allocation has been obtained using this operation. The operation 1380 SHALL only be requested during the time that protection is enabled for these objects (i.e., after the 1381 Activation Date and before the Protect Stop Date). If the operation is requested for an object that has no 1382 Usage Limits attribute, or is not an object that MAY be used for applying cryptographic protection, then 1383 the server SHALL return an error. 1384
The fieldfields in the request specifiesspecify the number of unitsbytes or number of objects that the client 1385 needs to protect. Exactly one of the two count fields SHALL be specified in the request. If the requested 1386 amount is not available or if the Managed Object is not able to be used for applying cryptographic 1387 protection at this time, then the server SHALL return an error. The server SHALL assume that the entire 1388 allocated amount is going to behas been consumed. Once the entire allocated amount has been 1389 consumed, the client SHALL NOT continue to use the Managed Cryptographic Object for applying 1390 cryptographic protection until a new allocation is obtained. 1391
Request Payload
Field Code Changed
Formatted: Font: Not Italic
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 86 of 176
Object REQUIRED Description Unique Identifier, see 3.13.1 No Determines the object whose usage
allocation is being requested. If omitted, then the ID Placeholder is substituted by the server.
Usage Limits Byte Count, see 3.163.16
No The number of bytes to be protected. SHALL be present if Usage Limits Object Count is not present.
Usage Limits Object Count, see 3.163.16
No The number of objects to be protected. SHALL be present if Usage Limits Byte Count is not present.
Table 150: Get Usage Allocation Request Payload 1392
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object.
Table 151: Get Usage Allocation Response Payload 1393
1.2 Activate 1394
This request is used to activate a Managed Cryptographic Object. The request SHALL NOT specify a 1395 Template object. The request contains the Unique Identifier of the Managed Cryptographic Object. The 1396 operation SHALL only be performed on an object in the Pre-Active state and has the effect of changing its 1397 state to Active, and setting its Activation Date to the current date and time. 1398
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the object whose usage allocation is being requested.activated. If omitted, then the ID Placeholder is substituted by the server.
Usage Limits Count, see 3.16 Yes The number of Usage Limits Units to be protected.
Table 152: Get Usage Allocation Request Payload 1399
Table 153: Activate Request Payload 1400
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object.
Table 154: Get Usage Allocation Response Payload 1401
4.18 Activate 1402
This request is used to activate a Managed Cryptographic Object. The request SHALL NOT specify a 1403 Template object. The operation SHALL only be performed on an object in the Pre-Active state and has 1404 the effect of changing its state to Active, and setting its Activation Date to the current date and time. 1405
Formatted: Font:
Formatted: Don't keep with next
Formatted: Font:
Formatted: Don't keep with next
Formatted Table
Formatted: Font:
Formatted: Don't keep with next, Don't adjustspace between Latin and Asian text
Field Code Changed
Formatted: Font:
Formatted: Don't keep with next
Formatted: Font:
Formatted: Font:
Formatted: Font:
Formatted: Don't keep with next
Formatted: Font:
Formatted: Don't keep with next
Formatted Table
Field Code Changed
Formatted: Font:
Formatted: Don't keep with next
Formatted: Font:
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 87 of 176
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.1 No Determines the object being activated. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
Table 155: Activate Request Payload 1406
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.1 Yes The Unique Identifier of the object
Table 156: Activate Response Payload 1407
4.17 4.19 Revoke 1408
This request is used to revoke a Managed Cryptographic Object or an Opaque Object. The request 1409 SHALL NOT specify a Template object. The request contains the unique identifier of the Managed 1410 Cryptographic Object and a reason for the revocation (e.g., “compromised”, “no longer used”, etc). 1411 Special authentication and authorization SHOULD be enforced to perform this request (see [KMIP-UG]). 1412 Only the object creator or an authorized security officer SHOULD be allowed to issue this request. The 1413 operation has one of two effects. If the revocation reason is “compromised”, then the object is placed into 1414 the “compromised” state, and the Compromise Date attribute is set to the current date and time. 1415 Otherwise, the object is placed into the “deactivated” state, and the Deactivation Date attribute is set to 1416 the current date and time. 1417
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the object being revoked. If omitted, then the ID Placeholder is substituted by the server.
Revocation Reason, see 3.263.26 Yes Specifies the reason for revocation.
Compromise Occurrence Date, see 3.243.24
No SHALL be specified if the Revocation Reason is 'compromised'.
Table 157: Revoke Request Payload 1418
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object
Table 158: Revoke Response Payload 1419
1.3 Destroy 1420
This request is used to indicate to the server that the key material for the specified Managed Object 1421 SHALL be destroyed. The meta-data for the key material MAY be retained by the server (e.g., used to 1422 ensure that an expired or revoked private signing key is no longer available). Special authentication and 1423 authorization SHOULD be enforced to perform this request (see [KMIP-UG]). Only the object creator or 1424 an authorized security officer SHOULD be allowed to issue this request. If the Unique Identifier specifies 1425 a Template object, then the object itself, including all meta-data, SHALL be destroyed. 1426
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 88 of 176
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the object being revoked.destroyed. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier..
Revocation Reason, see 3.26 Yes Specifies the reason for revocation.
Compromise Occurrence Date, see 3.24
No SHALL be specified if the Revocation Reason is 'compromised'.
Table 159: Revoke: Destroy Request Payload 1427
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object
Table 160: Revoke Response Payload 1428
4.20 Destroy 1429
This request is used to indicate to the server that the key material for the specified Managed Object 1430 SHALL be destroyed. The meta-data for the key material MAY be retained by the server (e.g., used to 1431 ensure that an expired or revoked private signing key is no longer available). Special authentication and 1432 authorization SHOULD be enforced to perform this request (see [KMIP-UG]). Only the object creator or 1433 an authorized security officer SHOULD be allowed to issue this request. If the Unique Identifier specifies 1434 a Template object, then the object itself, including all meta-data, SHALL be destroyed. Cryptographic 1435 Objects MAY only be destroyed if they are in either Pre-Active or Deactivated state. A Cryptographic 1436 Object in the Active state MAY be destroyed if the server sets the Deactivation date (the state of the 1437 object transitions to Deactivated) prior to destroying the object. 1438
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.1 No Determines the object being destroyed. If omitted, then the ID Placeholder value is used by the server as the Unique Identifier.
Table 161: Destroy Request Payload 1439
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.1 Yes The Unique Identifier of the object
Table 162: Destroy Response Payload 1440
4.18 4.21 Archive 1441
This request is used to specify that a Managed Object MAY be archived. The actual time when the object 1442 is archived, the location of the archive, or level of archive hierarchy is determined by the policies within 1443 the key management system and is not specified by the client. The request contains the unique identifier 1444 of the Managed Object. Special authentication and authorization SHOULD be enforced to perform this 1445 request (see [KMIP-UG]). Only the object creator or an authorized security officer SHOULD be allowed to 1446
Formatted: Keep with next, Don't adjust spacebetween Latin and Asian text
Field Code Changed
Formatted: Don't keep with next
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 89 of 176
issue this request. This request is only an indication from a client that from its point of view it is possible 1447 for “hint” to the key management system to possibly archive the object. 1448
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the object being archived. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier..
Table 163: Archive Request Payload 1449
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object
Table 164: Archive Response Payload 1450
4.19 4.22 Recover 1451
This request is used to obtain access to a Managed Object that has been archived. This request MAY 1452 require asynchronous polling to obtain the response due to delays caused by retrieving the object from 1453 the archive. Once the response is received, the object is now on-line, and MAY be obtained (e.g., via a 1454 Get operation). Special authentication and authorization SHOULD be enforced to perform this request 1455 (see [KMIP-UG]). 1456
Request PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 No Determines the object being recovered. If omitted, then the ID Placeholder value is usedsubstituted by the server as the Unique Identifier..
Table 165: Recover Request Payload 1457
Response PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object
Table 166: Recover Response Payload 1458
4.20 4.23 Validate 1459
This requests that the server validate a certificate chain and return information on its validity. Only a 1460 single certificate chain SHALL be included in each request. Support for this operation at the server is 1461 OPTIONAL. If the server does not support this operation, an error SHALL be returned. 1462
The request may contain a list of certificate objects, and/or a list of Unique Identifiers that identify 1463 Managed Certificate objects. Together, the two lists compose a certificate chain to be validated. The 1464 request MAY also contain a date for which all certificates in the certificate chain areis REQUIRED to be 1465 valid. 1466
The method or policy by which validation is conducted is a decision of the server and is outside of the 1467 scope of this protocol. Likewise, the order in which the supplied certificate chain is validated and the 1468 specification of trust anchors used to terminate validation are also controlled by the server. 1469
Field Code Changed
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Field Code Changed
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 90 of 176
Request PayloadObject REQUIRED Description
Certificate, see 2.2.12.2.1 No, MAY be repeated
One or more Certificates.
Unique Identifier, see 3.13.1 No, MAY be repeated
One or more Unique Identifiers of Certificate Objects.
Validity Date No A Date-Time object indicating when the certificate chain needs to beis valid.
Table 167: Validate Request Payload 1470
Response PayloadObject REQUIRED Description
Validity Indicator, see 9.1.3.2.229.1.3.2.22
Yes An Enumeration object indicating whether the certificate chain is valid, invalid, or unknown.
Table 168: Validate Response Payload 1471
4.21 4.24 Query 1472
This request is used by the client to interrogate the server to determine its capabilities and/or protocol 1473 mechanisms. The Query operation SHOULD be invocable by unauthenticated clients to interrogate server 1474 features and functions. The Query Function field in the request SHALL contain one or more of the 1475 following items: 1476
• Query Operations 1477
• Query Objects 1478
• Query Server Information 1479
• Query Application Namespaces 1480
The Operation fields in the response contain Operation enumerated values, which SHALL list all the 1481 OPTIONAL operations that the server supports. If the request contains a Query Operations value in the 1482 Query Function field, then these fields SHALL be returned in the response. The OPTIONAL operations 1483 are: 1484
• Validate 1485
• Certify 1486
• Re-Certify 1487
• Notify 1488
• Put 1489
The Object Type fields in the response contain Object Type enumerated values, which SHALL list all the 1490 object types that the server supports. If the request contains a Query Objects value in the Query Function 1491 field, then these fields SHALL be returned in the response. The object types (any of which are 1492 OPTIONAL) are: 1493
• Certificate 1494
• Symmetric Key 1495
• Public Key 1496
• Private Key 1497
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: Don't hyphenate, Tab stops: 143.45 pt, Left
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 91 of 176
• Split Key 1498
• Template 1499
• Secret Data 1500
• Opaque Object 1501
The Server Information field in the response is a structure containing vendor-specific fields and/or 1502 substructures. If the request contains a Query Server Information value in the Query Function field, then 1503 this field SHALL be returned in the response. 1504
The Application Namespace fields in the response contain the namespaces that the server SHALL 1505 generate values for if requested by the client (see Section 3.303.30 ). These fields SHALL only be 1506 returned in the response if the request contains a Query Application Namespaces value in the Query 1507 Function field. 1508
Note that the response payload is empty if there are no values to return. 1509
Request PayloadObject REQUIRED Description
Query Function, see 9.1.3.2.239.1.3.2.23
Yes, MAY be Repeated
Determines the information being queried
Table 169: Query Request Payload 1510
Response PayloadObject REQUIRED Description
Operation, see Operation, see 9.1.3.2.269.1.3.2.26
No, MAY be repeated
Specifies an Operation that is supported by the server. Only OPTIONAL operations SHALL be listed.
Object Type, see Object Type, see 3.33.3
No, MAY be repeated
Specifies a Managed Object Type that is supported by the server.
Vendor Identification No SHALL be returned if Query Server Information is requested. The Vendor Identification SHALL be a text string that uniquely identifies the vendor.
Server Information No Contains vendor-specific information possibly be of interest to the client.
Application Namespace, see 3.303.30
No, MAY be repeated
Specifies an Application Namespace supported by the server.
Table 170: Query Response Payload 1511
4.22 4.25 Cancel 1512
This request is used to cancel an outstanding asynchronous operation. The correlation value (see Section 1513 6.86.8 ) of the original operation SHALL be specified in the request. The server SHALL respond with a 1514 Cancellation Result that contains one of the following values: 1515
• Canceled – The cancel operation succeeded in canceling the pending operation. 1516
• Unable To Cancel – The cancel operation is unable to cancel the pending operation. 1517
• Completed – The pending operation completed successfully before the cancellation operation 1518 was able to cancel it. 1519
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 92 of 176
• Failed – The pending operation completed with a failure before the cancellation operation was 1520 able to cancel it. 1521
• Unavailable – The specified correlation value did not match any recently pending or completed 1522 asynchronous operations. 1523
The response to this operation is not able to be asynchronous. 1524
Request PayloadObject REQUIRED Description
Asynchronous Correlation Value, see 6.86.8
Yes Specifies the request being canceled
Table 171: Cancel Request Payload 1525
Response PayloadObject REQUIRED Description
Asynchronous Correlation Value, see 6.86.8
Yes Specified in the request
Cancellation Result, see 9.1.3.2.249.1.3.2.24
Yes Enumeration indicating the result of the cancellation
Table 172: Cancel Response Payload 1526
4.23 4.26 Poll 1527
This request is used to poll the server in order to obtain the status of an outstanding asynchronous 1528 operation. The correlation value (see Section 6.86.8 ) of the original operation SHALL be specified in the 1529 request. The response to this operation SHALL NOT be asynchronous. 1530
Request PayloadObject REQUIRED Description
Asynchronous Correlation Value, see 6.86.8
Yes Specifies the request being polled
Table 173: Poll Request Payload 1531
The server SHALL reply with one of two responses: 1532
If the operation has not completed, the response SHALL contain no payload and a Result Status of 1533 Pending. 1534
If the operation has completed, the response SHALL contain the appropriate payload for the operation. 1535 This response SHALL be identical to the response that would have been sent if the operation had 1536 completed synchronously. 1537
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 93 of 176
5 5 Server-to-Client Operations 1538
Server-to-client operations are used by servers to send information or Managed Cryptographic Objects to 1539 clients via means outside of the normal client-server request-response mechanism. These operations are 1540 used to send Managed Cryptographic Objects directly to clients without a specific request from the client. 1541
5.1 5.1 Notify 1542
This operation is used to notify a client of events that resulted in changes to attributes of an object. This 1543 operation is only ever sent by a server to a client via means outside of the normal client request/response 1544 protocol, using information known to the server via unspecified configuration or administrative 1545 mechanisms. It contains the Unique Identifier of the object to which the notification applies, and a list of 1546 the attributes whose changed values have triggered the notification. The message uses the same 1547 formatis sent as a normal Request message (see 7.1, Table 192Table 185Table 185), except that the 1548 Maximum Response Size, Asynchronous Indicator, Batch Error Continuation Option, and Batch Order 1549 Option fields are not allowed. The client SHALL send a response in the form of a Response Message 1550 (see 7.1, Table 193Table 186Table 186) containing no payload, unless both the client and server have 1551 prior knowledge (obtained via out-of-band mechanisms) that the client is not able to respond. Server and 1552 Client support for this message is OPTIONAL. 1553
Message PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object.
Attribute, see Attribute, see 33 Yes, MAY be repeated
The attributes that have changed. This includes at least the Last Change Date attribute. In case an attribute was deleted, the Attribute structure (see 2.1.1) in question SHALL NOT contain the Attribute Value field.
Table 174: Notify Message Payload 1554
5.2 5.2 Put 1555
This operation is used to “push” Managed Cryptographic Objects to clients. This operation is only ever 1556 sent by a server to a client via means outside of the normal client request/response protocol, using 1557 information known to the server via unspecified configuration or administrative mechanisms. It contains 1558 the Unique Identifier of the object that is being sent, and the object itself. The message uses the same 1559 formatis sent as a normal Request message (see 7.1, Table 192Table 185Table 185), except that the 1560 Maximum Response Size, Asynchronous Indicator, Batch Error Continuation Option, and Batch Order 1561 Option fields are not allowed. The client SHALL send a response in the form of a Response Message 1562 (see 7.1, Table 193Table 186Table 186) containing no payload, unless both the client and server have 1563 prior knowledge (obtained via out-of-band mechanisms) that the client is not able to respond. Server and 1564 client support for this message is OPTIONAL. 1565
The Put Function field indicates whether the object being “pushed” is a new object, or is a replacement for 1566 an object already known to the client (e.g., when pushing a certificate to replace one that is about to 1567 expire, the Put Function field would be set to indicate replacement, and the Unique Identifier of the 1568 expiring certificate would be placed in the Replaced Unique Identifier field). The Put Function SHALL 1569 contain one of the following values: 1570
• New – which indicates that the object is not a replacement for another object. 1571
• Replace – which indicates that the object is a replacement for another object, and that the 1572 Replaced Unique Identifier field is present and contains the identification of the replaced object. In 1573
Formatted: Space Before: 24 pt, Outlinenumbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0 pt + Tab after: 21.6 pt + Indent at: 21.6 pt, Page break before, Hyphenate, Don'tadjust space between Latin and Asian text,Border: Top: (Single solid line, Gray-50%, 0.5pt Line width, From text: 6 pt Border spacing:), Tab stops: Not at 0 pt
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Field Code Changed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 94 of 176
case the object with the Replaced Unique Identifier does not exist at the client, the client SHALL 1574 interpret this as if the Put Function contained the value New. 1575
The Attribute field contains one or more attributes that the server is sending along with the object. The 1576 server MAY include attributes with the object to specify how the object is to be used by the client. The 1577 server MAY include a Lease Time attribute that grants a lease to the client. 1578
If the Managed Object is a wrapped key, then the key wrapping specification SHALL be exchanged prior 1579 to the transfer via out-of-band mechanisms. 1580
Message PayloadObject REQUIRED Description
Unique Identifier, see 3.13.1 Yes The Unique Identifier of the object.
Put Function, see Put Function, see 9.1.3.2.259.1.3.2.25
Yes Indicates function for Put message.
Replaced Unique Identifier, see 3.13.1
No Unique Identifier of the replaced object. SHALL be present if the Put Function is Replace.
Certificate, Symmetric Key, Private Key, Public Key, Split Key, Template, Secret Data, or Opaque Object, see 2.22.2
Yes The object being sent to the client.
Attribute, see Attribute, see 33 No, MAY be repeated
The additional attributes that the server wishes to send with the object.
Table 175: Put Message Payload 1581
Formatted
Field Code Changed
Formatted
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 95 of 176
6 6 Message Contents 1582
The messages in the protocol consist of a message header, one or more batch items (which contain 1583 OPTIONAL message payloads), and OPTIONAL message extensions. The message headers contain 1584 fields whose presence is determined by the protocol features used (e.g., asynchronous responses). The 1585 field contents are also determined by whether the message is a request or a response. The message 1586 payload is determined by the specific operation being requested or to which is being replied. 1587
The message headers are structures that contain some of the following objects. 1588
6.1 6.1 Protocol Version 1589
This field contains the version number of the protocol, ensuring that the protocol is fully understood by 1590 both communicating parties. The version number SHALL be is specified in two parts, major and minor. 1591 Servers and clients SHALL support backward compatibility with versions of the protocol with the same 1592 major version. Support for backward compatibility with different major versions is OPTIONAL. 1593
Object EncodingProtocol Version Structure
Protocol Version Major Integer
Protocol Version Minor Integer
Object Encoding REQUIREDProtocol Version Structure
Protocol Version Major Integer Yes
Protocol Version Minor Integer Yes
Table 176: Protocol Version Structure in Message Header 1594
6.2 6.2 Operation 1595
This field indicates the operation being requested or the operation for which the response is being 1596 returned. The operations are defined in Sections 44 and 55 1597
Object EncodingOperation Enumeration, see 9.1.3.2.26
Object EncodingOperation Enumeration, see
9.1.3.2.269.1.3.2.26
Table 177: Operation in Batch Item 1598
6.3 6.3 Maximum Response Size 1599
This field is optionally contained in a request message, and is used to indicate the maximum size of a 1600 response, in bytes, that the requester SHALL handle. It SHOULD only be sent in requests that possibly 1601 return large replies. 1602
Object EncodingMaximum Response Size Integer
Formatted: Space Before: 24 pt, Outlinenumbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0 pt + Tab after: 21.6 pt + Indent at: 21.6 pt, Page break before, Hyphenate, Don'tadjust space between Latin and Asian text,Border: Top: (Single solid line, Gray-50%, 0.5pt Line width, From text: 6 pt Border spacing:), Tab stops: Not at 0 pt
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 96 of 176
Object EncodingMaximum Response Size Integer
Table 178: Maximum Response Size in Message Request Header 1603
6.4 6.4 Unique Batch Item ID 1604
This field is optionally contained in a request, and is used for correlation between requests and 1605 responses. If a request has a Unique Batch Item ID, then responses to that request SHALL have the 1606 same Unique Batch Item ID. 1607
Object EncodingUnique Batch Item ID Byte String
Table 1608
Object EncodingUnique Batch Item ID Byte String
Table 179: Unique Batch Item ID in Batch Item 1609
6.5 6.5 Time Stamp 1610
This field is optionally contained in a client request. It, is REQUIRED in a server request and response. It, 1611 is used for time stamping, and MAY be used to enforce reasonable time usage at a client (e.g., a server 1612 MAY choose to reject a request if a client's time stamp contains a value that is too far off the 1613 server’sknown correct time). Note that the time stamp MAY be used by a client that has no real-time 1614 clock, but has a countdown timer, to obtain useful “seconds from now” values from all of the Date 1615 attributes by performing a subtraction. 1616
Object EncodingTime Stamp Date-Time
Object EncodingTime Stamp Date-Time
Table 180: Time Stamp in Message Header 1617
6.6 6.6 Authentication 1618
This is used to authenticate the requester. It is an OPTIONAL information item, depending on the type of 1619 request being issued and on server policies. Servers MAY require authentication on no requests, a 1620 subset of the requests, or all requests, depending on policy. Query operations used to interrogate server 1621 features and functions SHOULD NOT require authentication. The Authentication structure SHALL contain 1622 a Credential structure. 1623
The authentication mechanisms are described and discussed in Section 88 . 1624
Object EncodingAuthentication Structure
Credential Structure, see 2.1.2
Object Encoding REQUIREDAuthentication Structure
Credential Structure, see Yes
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 97 of 176
2.1.22.1.2
Table 181: Authentication Structure in Message Header 1625
6.7 6.7 Asynchronous Indicator 1626
This Boolean flag indicates whether the client is able to accept an asynchronous response. It SHALL 1627 have the Boolean value True if the client is able to handle asynchronous responses, and the value False 1628 otherwise. If not present in a request, then False is assumed. If a client indicates that it is not able to 1629 handle asynchronous responses (i.e., flag is set to False), and the server is not able to process the 1630 request synchronously, then the server SHALL respond to the request with a failure. 1631
Object EncodingAsynchronous Indicator Boolean
Object EncodingAsynchronous Indicator Boolean
Table 182: Asynchronous Indicator in Message Request Header 1632
6.8 6.8 Asynchronous Correlation Value 1633
This is returned in the immediate response to an operation that is pending and that requires 1634 asynchronous polling. Note: the server decides which operations are performed synchronously or 1635 asynchronously. A server-generated correlation value SHALL be specified in any subsequent Poll or 1636 Cancel operations that pertain to the original operation. 1637
Object EncodingAsynchronous Correlation Value
Byte String
Object EncodingAsynchronous Correlation Value
Byte String
Table 183: Asynchronous Correlation Value in Response Batch Item 1638
6.9 6.9 Result Status 1639
This is sent in a response message and indicates the success or failure of a request. The following values 1640 MAY be set in this field: 1641
• Success – The requested operation completed successfully. 1642
• Operation Pending – The requested operation is in progress, and it is necessary to obtain the 1643 actual result via asynchronous polling. The asynchronous correlation value SHALL be used for 1644 the subsequent polling of the result status. 1645
• Operation Undone – The requested operation was performed, but had to be undone (i.e., due to a 1646 failure in a batch for which the Error Continuation Option (see 6.13 and 6.1 7.2) was set to Undo). 1647
• Operation FailedFailure – The requested operation failed. 1648
Object EncodingResult Status Enumeration, see 9.1.3.2.27
Object EncodingResult Status Enumeration, see
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 0 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 98 of 176
9.1.3.2.279.1.3.2.27
Table 184: Result Status in Response Batch Item 1649
6.10 6.10 Result Reason 1650
This field indicates a reason for failure or a modifier for a partially successful operation and SHALL be 1651 present in responses that return a Result Status of Failure. In such a case the Result Reason SHALL be 1652 set as specified in Section 1111 . It is OPTIONAL in any response that returns a Result Status of 1653 Success. The following defined values are defined for this field: 1654
• Item not found – A requested object was not found or did not exist. 1655
• Response too large – The response to a request would exceed the Maximum Response Size in 1656 the request. 1657
• Authentication not successful – The authentication information in the request was not able to be 1658 validated, or there was no authentication information in the request when there SHOULD have 1659 been. 1660
• Invalid message – The request message was not understood by the server. 1661
• Operation not supported – The operation requested by the request message is not supported by 1662 the server. 1663
• Missing data – The operation requires additional OPTIONAL information in the request, which 1664 was not present. 1665
• Invalid field – Some data item in the request has an invalid value. 1666
• Feature not supported – An OPTIONAL feature specified in the request is not supported. 1667
• Operation canceled by requester – The operation was asynchronous, and the operation was 1668 canceled by the Cancel operation before it completed successfully. 1669
• Cryptographic failure – The operation failed due to a cryptographic error. 1670
• Illegal operation – The client requested an operation that was not able to be performed with the 1671 specified parameters. 1672
• Permission denied – The client does not have permission to perform the requested operation. 1673
• Object archived – The object SHALL be recovered from the archive before performing the 1674 operation. 1675
• Index Out of Bounds – The client tried to set more instances than the server supports of an 1676 attribute that MAY have multiple instances. 1677
• Application Namespace Not Supported – The particular Application Namespace is not supported, 1678 and server was not able to generate the Application Data field of an Application Specific 1679 Information attribute if the field was omitted from the client request. 1680
• Key Format Type and/or Key Compression Type Not Supported – The object exists but the server 1681 is unable to provide it in the desired Key Format Type and/or Key Compression Type. 1682
• General failure – The request failed for a reason other than the defined reasons above. 1683
Object EncodingResult Reason Enumeration, see 9.1.3.2.28
Table 1684
Object EncodingResult Reason Enumeration, see
9.1.3.2.289.1.3.2.28
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 99 of 176
Table 185: Result Reason in Response Batch Item 1685
6.11 6.11 Result Message 1686
This field MAY be returned in a response. It contains a more descriptive error message, which MAY be 1687 provided to an end user or used by the client to display to an end user or for logging/auditing purposes. 1688
Object EncodingResult Message Text String
Object EncodingResult Message Text String
Table 186: Result Message in Response Batch Item 1689
6.12 6.12 Batch Order Option 1690
A Boolean value used in requests where the Batch Count is greater than 1. If True, then batched 1691 operations SHALL be executed in the order in which they appear within the request. If False, then the 1692 server MAY choose to execute the batched operations in any order. If not specified, then False is 1693 assumed (i.e., no implied ordering). Server support for this feature is OPTIONAL, but if the server does 1694 not support the feature, and a request is received with the batch order option set to True, then the entire 1695 request SHALL be rejected. 1696
Object EncodingBatch Order Option Boolean
Object EncodingBatch Order Option Boolean
Table 187: Batch Order Option in Message Request Header 1697
6.13 6.13 Batch Error Continuation Option 1698
This option SHALL only be present if the Batch Count is greater than 1. This option SHALL have one of 1699 three values: 1700
• Undo – If any operation in the request fails, then the server SHALL undo all the previous 1701 operations. 1702
• Stop – If an operation fails, then the server SHALL NOT continue processing subsequent 1703 operations in the request. Completed operations SHALL NOT be undone. 1704
• Continue – Return an error for the failed operation, and continue processing subsequent 1705 operations in the request. 1706
If not specified, then Stop is assumed. 1707
Server support for this feature is OPTIONAL, but if the server does not support the feature, and a request 1708 is received containing the Batch Error Continuation option with a value other than the default Stop, then 1709 the entire request SHALL be rejected. 1710
Object EncodingBatch Error Continuation Option
Enumeration, see 9.1.3.2.29
Table 1711
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 100 of 176
Object EncodingBatch Error Continuation Option
Enumeration, see 9.1.3.2.299.1.3.2.29
Table 188: Batch Error Continuation Option in Message Request Header 1712
6.14 6.14 Batch Count 1713
This field contains the number of Batch Items in a message and is REQUIRED. If only a single operation 1714 is being requested, then the batch count SHALL be set to 1. The Message Payload, which follows the 1715 Message Header, contains one or more batch items. 1716
Object EncodingBatch Count Integer
Table 1717
Object EncodingBatch Count Integer
Table 189: Batch Count in Message Header 1718
6.15 6.15 Batch Item 1719
This field consists of a structure that holds the individual requests or responses in a batch, and is 1720 REQUIRED. The contents of the batch items are described in Sections 7.27.2 and 6.1 7.23 . 1721
Object EncodingBatch Item Structure
Object EncodingBatch Item Structure
Table 190: Batch Item in Message 1722
6.16 6.16 Message Extension 1723
The Message Extension is an OPTIONAL structure that MAY be appended to any Batch Item. It is used 1724 to extend protocol messages for the purpose of adding vendor- specified extensions. The Message 1725 Extension is a structure that SHALL contain the containing a Vendor Identification, a Criticality Indicator, 1726 and Vendor Extension fields.vendor-specific extensions. The Vendor Identification SHALL be a text string 1727 that uniquely identifies the vendor, allowing a client to determine if it is able to parse and understand the 1728 extension. If a client or server receives a protocol message containing a message extension that it does 1729 not understand, then its actions depend on the Criticality Indicator. If the indicator is True (i.e., Critical), 1730 and the receiver does not understand the extension, then the receiver SHALL reject the entire message. 1731 If the indicator is False (i.e., Non-Critical), and the receiver does not understand the extension, then the 1732 receiver MAY process the rest of the message as if the extension were not present. The Vendor 1733 Extension structure SHALL contain vendor-specific extensions. 1734
Object EncodingMessage Extension Structure
Vendor Identification Text String
Criticality Indicator Boolean
Vendor Extension Structure
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt + 438.8 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 101 of 176
Object Encoding REQUIREDMessage Extension Structure
Vendor Identification Text String Yes
Criticality Indicator Boolean Yes
Vendor Extension Structure Yes
Table 191: Message Extension Structure in Batch Item 1735
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 102 of 176
7 7 Message Format 1736
Messages contain the following objects and fields. All fields SHALL appear in the order specified. 1737
7.1 7.1 Message Structure 1738
Object Encoding REQUIREDRequest Message Structure
Request Header Structure, see Structure, see Table 195Table 187Table 187184 and Table 199Table 188
Yes
Batch Item Structure, see Structure, see Table 196Table 188Table 188185 and Table 200Table 189
Yes, MAY be repeated
Table 192: Request Message Structure 1739
Object Encoding REQUIREDResponse Message Structure
Response Header Structure, see Structure, see Table 197Table 189Table 189186 and Table 201Table 190
Yes
Batch Item Structure, see Structure, see Table 198Table 190Table 190187 and Table 202Table 191
Yes, MAY be repeated
Table 193: Response Message Structure 1740
7.2 7.2 Synchronous Operations 1741
If the client is capable of accepting asynchronous responses, then it MAY set the Asynchronous Indicator 1742 in the header of a batched request. The batched responses MAY contain a mixture of synchronous and 1743 asynchronous responses. 1744
Formatted: Space Before: 24 pt, Outlinenumbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0 pt + Tab after: 21.6 pt + Indent at: 21.6 pt, Page break before, Hyphenate, Don'tadjust space between Latin and Asian text,Border: Top: (Single solid line, Gray-50%, 0.5pt Line width, From text: 6 pt Border spacing:), Tab stops: Not at 0 pt
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Field Code Changed
Formatted: Font: 10 pt
Formatted: Font: 10 pt, Check spelling andgrammar
Formatted: Font: 10 pt
Field Code Changed
Formatted: Font: 10 pt
Formatted: Font: 10 pt, Check spelling andgrammar
Formatted: Font: 10 pt
Field Code Changed
Formatted: Font: 10 pt
Formatted: Font: 10 pt, Check spelling andgrammar
Formatted: Font: 10 pt
Field Code Changed
Formatted: Font: 10 pt
Formatted: Font: 10 pt, Check spelling andgrammar
Formatted: Font: 10 pt
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: Font: 14 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 103 of 176
Synchronous Request HeaderObject REQUIRED in Message Comment
Request Header Yes Structure
Protocol Version Yes See See 6.16.1
Maximum Response Size
No See See 6.36.3
Asynchronous IndicatorAuthentication
No If present, SHALL be set to True, see See 6.66.76
AuthenticationBatch Error Continuation Option
No See If omitted, then Stop is assumed, see 6.136.613
Batch Error ContinuationOrder Option
No If omitted, then StopFalse is assumed, see 6.126.1312
Batch Order Option Time Stamp
No If omitted, then False is assumed, see See 6.56.125
Time StampBatch Count
NoYes See See 6.146.514
Batch Count Yes See 6.14
Table 194: Request Header Structure 1745
Request Batch Item
Table 195: Synchronous Request Header Structure 1746
Synchronous Request Batch ItemObject REQUIRED in Message Comment
Batch Item Yes Structure, see Structure, see 6.156.15
Operation Yes See See 6.26.2
Unique Batch Item ID
No REQUIRED if Batch Count > 1, see 6.46.4
Request Payload Yes Structure, contents depend on the Operation, see 44 and 55
Message Extension No See See 6.166.16
Table 196:: Synchronous Request Batch Item Structure 1747
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Formatted: Don't keep with next
Field Code Changed
Formatted Table
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 104 of 176
Synchronous Response HeaderObject REQUIRED in Message Comment
Response Header Yes Structure
Protocol Version Yes See See 6.16.1
Time Stamp Yes See See 6.56.5
Batch Count Yes See See 6.146.14
Table 197:: Synchronous Response Header Structure 1748
Synchronous Response Batch ItemObject REQUIRED in Message Comment
Batch Item Yes Structure, see 6.156.15
Operation Yes, if not a failure See 6.26.2
Unique Batch Item ID
No REQUIRED if present in Request Batch Item, see 6.46.4
Result Status Yes See 6.96.9
Result Reason No Only present if Result Status is not Success, see 6.106.10
Result Message No Only present if Result Status is not Success, see 6.116.11
Response Payload Yes, if not a failure Structure, contents depend on the Operation, see 44 and 55
Message Extension No See 6.166.16
Table 198: Synchronous Response Batch Item Structure 1749
6.1 Asynchronous Operations 1750
If the client is capable of accepting asynchronous responses, then it MAY set the Asynchronous Indicator 1751 in the header of a batched request. The batched responses MAY contain a mixture of synchronous and 1752 asynchronous responses. 1753
Formatted: Font: Not Bold
Formatted: Don't keep with next
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 105 of 176
Asynchronous Request HeaderObject REQUIRED in Message Comment
Request Header Yes Structure
Protocol Version Yes See 6.16.1
Maximum Response Size
No See 6.36.3
Asynchronous Indicator
Yes SHALL be set to True, see 6.76.7
Authentication No See 6.66.6
Batch Error Continuation Option
No If omitted, then Stop is assumed, see 6.136.13
Batch Order Option No If omitted, then False is assumed, see 6.126.12
Time Stamp No See 6.56.5
Batch Count Yes See 6.146.14
Table 199: Asynchronous Request Header Structure 1754
Asynchronous Request Batch ItemObject REQUIRED in Message Comment
Batch Item Yes Structure, see Structure, see 6.156.15
Operation Yes, if not a failure See See 6.26.2
Unique Batch Item ID
No REQUIRED if present in Request Batch Item, see REQUIRED if Batch Count > 1, see 6.46.4
Result StatusRequest Payload
Yes See Structure, contents depend on the Operation, see 46.94 and 55
Result ReasonMessage Extension
Yes, if Result Status is FailureNo
REQUIRED if Result Status is Failure, otherwise OPTIONAL, see See 6.166.1016
Result Message No OPTIONAL if Result Status is not Pending or Success, see 6.11
Table 200: Asynchronous Request Batch Item Structure 1755
Formatted Table
Field Code Changed
Formatted: Keep with next
Formatted: Don't keep with next
Field Code Changed
Formatted: Font: Italic
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 106 of 176
Asynchronous Response HeaderAsynchronous Correlation ValueObject
NoREQUIRED in Message
REQUIRED if Result Status is Pending, see 6.8Comment
Response PayloadHeader
Yes, if not a failure Structure, contents depend on the Operation, see 4and 5
Message ExtensionProtocol Version
NoYes See See 6.16.161
Time Stamp Yes See 6.56.5
Batch Count Yes See 6.146.14
Table 201: Asynchronous Response Header Structure 1756
Asynchronous Response Batch ItemObject REQUIRED in Message Comment
Batch Item Yes Structure, see 6.156.15
Operation Yes, if not a failure See 6.26.2
Unique Batch Item ID
No REQUIRED if present in Request Batch Item, see 6.46.4
Result Status Yes See 6.96.9
Result Reason No Only present if Result Status is not Pending or Success, see 6.106.10
Result Message No Only present if Result Status is not Pending or Success, see 6.116.11
Asynchronous Correlation Value
Yes Only present if Result Status is Pending, see 6.86.8
Response Payload Yes, if not a failure Structure, contents depend on the Operation, see 44 and 55
Message Extension No See 6.166.16
Table 202: Asynchronous Response Batch Item Structure 1757
Formatted: Left, Indent: Left: 36 pt
Formatted Table
Formatted: Font: Not Bold
Formatted: Font: Not Bold
Formatted: Left, Don't adjust space betweenLatin and Asian text
Formatted: Font: Not Bold, Italic
Formatted: Indent: Left: 36 pt
Formatted: Don't keep with next
Formatted: Keep with next
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 107 of 176
8 8 Authentication 1758
The mechanisms used to authenticate the client to the server and the server to the client are not part of 1759 the message definitions, and are external to the protocol. The KMIP Server SHALL support authentication 1760 as defined in [KMIP-Prof]. 1761
Formatted: Space Before: 24 pt, Outlinenumbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0 pt + Tab after: 21.6 pt + Indent at: 21.6 pt, Page break before, Hyphenate, Don'tadjust space between Latin and Asian text,Border: Top: (Single solid line, Gray-50%, 0.5pt Line width, From text: 6 pt Border spacing:), Tab stops: Not at 0 pt
Formatted: Font: 18 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 108 of 176
9 9 Message Encoding 1762
To support different transport protocols and different client capabilities, a number of message-encoding 1763 mechanisms are supported. 1764
9.1 9.1 TTLV Encoding 1765
In order to minimize the resource impact on potentially low-function clients, one encoding mechanism to 1766 be used for protocol messages is a simplified TTLV (Tag, Type, Length, Value) scheme. 1767
The scheme is designed to minimize the CPU cycle and memory requirements of clients that need to 1768 encode or decode protocol messages, and to provide optimal alignment for both 32-bit and 64-bit 1769 processors. Minimizing bandwidth over the transport mechanism is considered to be of lesser importance. 1770
9.1.1 9.1.1 TTLV Encoding Fields 1771
Every Data object encoded by the TTLV scheme consists of four items, in order: 1772
9.1.1.1 9.1.1.1 Item Tag 1773
An Item Tag is a three-byte binary unsigned integer, transmitted big endian, which contains a number that 1774 designates the specific Protocol Field or Object that the TTLV object represents. To ease debugging, and 1775 to ensure that malformed messages are detected more easily, all tags SHALL contain either the value 42 1776 in hex or the value 54 in hex as the high order (first) byte. Tags defined by this specification contain hex 1777 42 in the first byte. Extensions, which are permitted, but are not defined in this specification, contain the 1778 value 54 hex in the first byte. A list of defined Item Tags is in Section 9.1.3.19.1.3.1 1779
9.1.1.2 9.1.1.2 Item Type 1780
An Item Type is a byte containing a coded value that indicates the data type of the data object. The 1781 allowed values are: 1782
Data Type Coded Value in Hex
Structure 01
Integer 02
Long Integer 03
Big Integer 04
Enumeration 05
Boolean 06
Text String 07
Byte String 08
Date-Time 09
Interval 0A
Table 203: Allowed Item Type Values 1783
Formatted: Space Before: 24 pt, Outlinenumbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0 pt + Tab after: 21.6 pt + Indent at: 21.6 pt, Page break before, Hyphenate, Don'tadjust space between Latin and Asian text,Border: Top: (Single solid line, Gray-50%, 0.5pt Line width, From text: 6 pt Border spacing:), Tab stops: Not at 0 pt
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 72 pt
Formatted: Font: Bold
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 72 pt + 144 pt
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 72 pt + 144 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 109 of 176
9.1.1.3 9.1.1.3 Item Length 1784
An Item Length is a 32-bit binary integer, transmitted big-endian, containing the number of bytes in the 1785 Item Value. The allowed values are: 1786
1787
Data Type Length
Structure Varies, multiple of 8
Integer 4
Long Integer 8
Big Integer Varies, multiple of 8
Enumeration 4
Boolean 8
Text String Varies
Byte String Varies
Date-Time 8
Interval 4
Table 204: Allowed Item Length Values 1788
If the Item Type is Structure, then the Item Length is the total length of all of the sub-items contained in 1789 the structure, including any padding. If the Item Type is Integer, Enumeration, Text String, Byte String, or 1790 Interval, then the Item Length is the number of bytes excluding the padding bytes. Text Strings and Byte 1791 Strings SHALL be padded with the minimal number of bytes following the Item Value to obtain a multiple 1792 of eight bytes. Integers, Enumerations, and Intervals SHALL be padded with four bytes following the Item 1793 Value. 1794
9.1.1.4 9.1.1.4 Item Value 1795
The item value is a sequence of bytes containing the value of the data item, depending on the type: 1796
• Integers are encoded as four-byte long (32 bit) binary signed numbers in 2's complement 1797 notation, transmitted big-endian. 1798
• Long Integers are encoded as eight-byte long (64 bit) binary signed numbers in 2's complement 1799 notation, transmitted big-endian. 1800
• Big Integers are encoded as a sequence of eight-bit bytes, in two's complement notation, 1801 transmitted big-endian. If the length of the sequence is not a multiple of eight bytes, then Big 1802 Integers SHALL be padded with the minimal number of leading sign-extended bytes to make the 1803 length a multiple of eight bytes. These padding bytes are part of the Item Value and SHALL be 1804 counted in the Item Length. 1805
• Enumerations are encoded as four-byte long (32 bit) binary unsigned numbers transmitted big-1806 endian. Extensions, which are permitted, but are not defined in this specification, contain the 1807 value 8 hex in the first nibble of the first byte. 1808
• Booleans are encoded as an eight-byte value that SHALL either contain the hex value 1809 0000000000000000, indicating the Boolean value False, or the hex value 0000000000000001, 1810 transmitted big-endian, indicating the Boolean value True. 1811
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 72 pt + 144 pt
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 72 pt + 144 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 110 of 176
• Text Strings are sequences of bytes that encode character values according to the UTF-8 1812 encoding standard. There SHALL NOT be null-termination at the end of such strings. 1813
• Byte Strings are sequences of bytes containing individual unspecified eight-bit binary values, and 1814 are interpreted in the same sequence order. 1815
• Date-Time values are POSIX Time values encoded as Long Integers. POSIX Time, as described 1816 in IEEE Standard 1003.1 [IEEE1003-1], is the number of seconds since the Epoch (1970 Jan 1, 1817 00:00:00 UTC), not counting leap seconds. 1818
• Intervals are encoded as four-byte long (32 bit) binary unsigned numbers, transmitted big-endian. 1819 They have a resolution of one second. 1820
• Structure Values are encoded as the concatenated encodings of the elements of the structure. All 1821 structures defined in this specification SHALL have all of their fields encoded in the order in which 1822 they appear in their respective structure descriptions. 1823
9.1.2 9.1.2 Examples 1824
These examples are assumed to be encoding a Protocol Object whose tag is 420020. The examples are 1825 shown as a sequence of bytes in hexadecimal notation: 1826
• An Integer containing the decimal value 8: 1827
42 00 20 | 02 | 00 00 00 04 | 00 00 00 08 00 00 00 00 1828
• A Long Integer containing the decimal value 123456789000000000: 1829
42 00 20 | 03 | 00 00 00 08 | 01 B6 9B 4B A5 74 92 00 1830
• A Big Integer containing the decimal value 1234567890000000000000000000: 1831
42 00 20 | 04 | 00 00 00 10 | 00 00 00 00 03 FD 35 EB 6B C2 DF 46 18 08 1832 00 00 1833
• An Enumeration with value 255: 1834
42 00 20 | 05 | 00 00 00 04 | 00 00 00 FF 00 00 00 00 1835
• A Boolean with the value True: 1836
42 00 20 | 06 | 00 00 00 08 | 00 00 00 00 00 00 00 01 1837
• A Text String with the value "Hello World": 1838
42 00 20 | 07 | 00 00 00 0B | 48 65 6C 6C 6F 20 57 6F 72 6C 64 00 00 00 1839 00 00 1840
• A Byte String with the value { 0x01, 0x02, 0x03 }: 1841
42 00 20 | 08 | 00 00 00 03 | 01 02 03 00 00 00 00 00 1842
• A Date-Time, containing the value for Friday, March 14, 2008, 11:56:40 GMT: 1843
42 00 20 | 09 | 00 00 00 08 | 00 00 00 00 47 DA 67 F8 1844
• An Interval, containing the value for 10 days: 1845
42 00 20 | 0A | 00 00 00 04 | 00 0D 2F 00 00 00 00 00 1846
• A Structure containing an Enumeration, value 254, followed by an Integer, value 255, having tags 1847 420004 and 420005 respectively: 1848
42 00 20 | 01 | 00 00 00 20 | 42 00 04 | 05 | 00 00 00 04 | 00 00 00 FE 1849 00 00 00 00| 42 00 05 | 02 | 00 00 00 04 | 00 00 00 FF 00 00 00 00 1850
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 72 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 111 of 176
9.1.3 9.1.3 Defined Values 1851
This section specifies the values that are defined by this specification. In all cases where an extension 1852 mechanism is allowed, this extension mechanism is only able to be used for communication between 1853 parties that have pre-agreed understanding of the specific extensions. 1854
9.1.3.1 9.1.3.1 Tags 1855
The following table defines the tag values for the objects and primitive data values for the protocol 1856 messages. 1857
TagObject Tag Value(Unused) 000000 - 420000
Activation Date 420001
Application Data 420002
Application Namespace 420003
Application Specific Information 420004
Archive Date 420005
Asynchronous Correlation Value
420006
Asynchronous Indicator 420007
Attribute 420008
Attribute Index 420009
Attribute Name 42000A
Attribute Value 42000B
Authentication 42000C
Batch Count 42000D
Batch Error Continuation Option
42000E
Batch Item 42000F
Batch Order Option 420010
Block Cipher Mode 420011
Cancellation Result 420012
Certificate 420013
Certificate Identifier 420014
Certificate Issuer 420015
Certificate Issuer Alternative Name
420016
Certificate Issuer Distinguished Name
420017
Certificate Request 420018
Certificate Request Type 420019
Formatted: Outline numbered + Level: 3 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 36 pt + Indent at: 36 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 72 pt
Formatted: Font: Bold
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 72 pt + 144 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 112 of 176
TagObject Tag ValueCertificate Subject 42001A
Certificate Subject Alternative Name
42001B
Certificate Subject Distinguished Name
42001C
Certificate Type 42001D
Certificate Value 42001E
Common Template-Attribute 42001F
Compromise Date 420020
Compromise Occurrence Date 420021
Contact Information 420022
Credential 420023
Credential Type 420024
Credential Value 420025
Criticality Indicator 420026
CRT Coefficient 420027
Cryptographic Algorithm 420028
Cryptographic Domain Parameters
420029
Cryptographic Length 42002A
Cryptographic Parameters 42002B
Cryptographic Usage Mask 42002C
Custom Attribute 42002D
D 42002E
Deactivation Date 42002F
Derivation Data 420030
Derivation Method 420031
Derivation Parameters 420032
Destroy Date 420033
Digest 420034
Digest Value 420035
Encryption Key Information 420036
G 420037
Hashing Algorithm 420038
Initial Date 420039
Initialization Vector 42003A
Issuer 42003B
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 113 of 176
TagObject Tag ValueIteration Count 42003C
IV/Counter/Nonce 42003D
J 42003E
Key 42003F
Key Block 420040
Key Compression Type 420041
Key Format Type 420042
Key Material 420043
Key Part Identifier 420044
Key Value 420045
Key Wrapping Data 420046
Key Wrapping Specification 420047
Last Change Date 420048
Lease Time 420049
Link 42004A
Link Type 42004B
Linked Object Identifier 42004C
MAC/Signature 42004D
MAC/Signature Key Information
42004E
Maximum Items 42004F
Maximum Response Size 420050
Message Extension 420051
Modulus 420052
Name 420053
Name Type 420054
Name Value 420055
Object Group 420056
Object Type 420057
Offset 420058
Opaque Data Type 420059
Opaque Data Value 42005A
Opaque Object 42005B
Operation 42005C
Operation Policy Name 42005D
P 42005E
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 114 of 176
TagObject Tag ValuePadding Method 42005F
Prime Exponent P 420060
Prime Exponent Q 420061
Prime Field Size 420062
Private Exponent 420063
Private Key 420064
Private Key Template-Attribute 420065
Private Key Unique Identifier 420066
Process Start Date 420067
Protect Stop Date 420068
Protocol Version 420069
Protocol Version Major 42006A
Protocol Version Minor 42006B
Public Exponent 42006C
Public Key 42006D
Public Key Template-Attribute 42006E
Public Key Unique Identifier 42006F
Put Function 420070
Q 420071
Q String 420072
Qlength 420073
Query Function 420074
Recommended Curve 420075
Replaced Unique Identifier 420076
Request Header 420077
Request Message 420078
Request Payload 420079
Response Header 42007A
Response Message 42007B
Response Payload 42007C
Result Message 42007D
Result Reason 42007E
Result Status 42007F
Revocation Message 420080
Revocation Reason 420081
Revocation Reason Code 420082
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 115 of 176
TagObject Tag ValueKey Role Type 420083
Salt 420084
Secret Data 420085
Secret Data Type 420086
Serial Number 420087
Server Information 420088
Split Key 420089
Split Key Method 42008A
Split Key Parts 42008B
Split Key Threshold 42008C
State 42008D
Storage Status Mask 42008E
Symmetric Key 42008F
Template 420090
Template-Attribute 420091
Time Stamp 420092
Unique Batch Item ID 420093
Unique Identifier 420094
Usage Limits 420095
Usage Limits Byte Count 420096
Usage Limits TotalObject Count 420097
Usage Limits UnitTotal Bytes 420098
UsernameUsage Limits Total Objects
420099
Validity Date 42009A
Validity Indicator 42009B
Vendor Extension 42009C
Vendor Identification 42009D
Wrapping Method 42009E
X 42009F
Y 4200A0
Password(Reserved) 4200A1 – 42FFFF
(Reserved) 4200A2 – 42FFFF
(Unused) 430000 – 53FFFF
Extensions 540000 – 54FFFF
(Unused) 550000 - FFFFFF
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 116 of 176
Table 205: Tag Values 1858
9.1.3.2 9.1.3.2 Enumerations 1859
The following tables define the values for enumerated lists. Values not listed (outside the range 80000000 1860 to 8FFFFFFF) are reserved for future KMIP versions. 1861
9.1.3.2.1 9.1.3.2.1 Credential Type Enumeration 1862
Credential TypeName ValueUsername and& Password 00000001
Token 00000002
Biometric Measurement 00000003
Certificate 00000004
Extensions 8XXXXXXX
Table 206: Credential Type Enumeration 1863
9.1.3.2.2 9.1.3.2.2 Key Compression Type Enumeration 1864
Key Compression TypeName ValueEC Public Key Type Uncompressed
00000001
EC Public Key Type X9.62 Compressed Prime
00000002
EC Public Key Type X9.,62 Compressed Char2
00000003
EC Public Key Type X9.62 Hybrid
00000004
Extensions 8XXXXXXX
Table 207: Key Compression Type Enumeration 1865
9.1.3.2.3 9.1.3.2.3 Key Format Type Enumeration 1866
Key Format TypeName ValueRaw 00000001
Opaque 00000002
PKCS#1 00000003
PKCS#8 00000004
X.509 00000005
ECPrivateKey 00000006
Transparent Symmetric Key 00000007
Transparent DSA Private Key 00000008
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, No page breakbefore, Hyphenate, Don't adjust space betweenLatin and Asian text, Tab stops: Not at 72 pt + 144 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted Table
Formatted Table
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 117 of 176
Transparent DSA Public Key 00000009
Transparent RSA Private Key 0000000A
Transparent RSA Public Key 0000000B
Transparent DH Private Key 0000000C
Transparent DH Public Key 0000000D
Transparent ECDSA Private Key
0000000E
Transparent ECDSA Public Key 0000000F
Transparent ECDH Private Key 00000010
Transparent ECDH Public Key 00000011
Transparent ECMQV Private Key
00000012
Transparent ECMQV Public Key 00000013
Extensions 8XXXXXXX
Table 208: Key Format Type Enumeration 1867
9.1.3.2.4 9.1.3.2.4 Wrapping Method Enumeration 1868
Wrapping MethodName ValueEncrypt 00000001
MAC/sign 00000002
Encrypt then MAC/sign 00000003
MAC/sign then encrypt 00000004
TR-31 00000005
Extensions 8XXXXXXX
Table 209: Wrapping Method Enumeration 1869
9.1.3.2.5 9.1.3.2.5 Recommended Curve Enumeration for ECDSA, ECDH, and 1870 ECMQV 1871
Recommended curves are defined in [FIPS186-3]NIST FIPS PUB 186-3. 1872
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt, Font color: CustomColor(RGB(59,0,111))
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 118 of 176
Recommended Curve EnumerationName ValueP-192 00000001
K-163 00000002
B-163 00000003
P-224 00000004
K-233 00000005
B-233 00000006
P-256 00000007
K-283 00000008
B-283 00000009
P-384 0000000A
K-409 0000000B
B-409 0000000C
P-521 0000000D
K-571 0000000E
B-571 0000000F
Extensions 8XXXXXXX
Table 210: Recommended Curve Enumeration for ECDSA, ECDH, and ECMQV 1873
9.1.3.2.6 9.1.3.2.6 Certificate Type Enumeration 1874
Certificate TypeName ValueX.509 00000001
PGP 00000002
Extensions 8XXXXXXX
Table 211: Certificate Type Enumeration 1875
9.1.3.2.7 9.1.3.2.7 Split Key Method Enumeration 1876
Split Key MethodName ValueXOR 00000001
Polynomial Sharing GF(216) 00000002
Polynomial Sharing Prime Field 00000003
Extensions 8XXXXXXX
Table 212: Split Key Method Enumeration 1877
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 119 of 176
9.1.3.2.8 9.1.3.2.8 Secret Data Type Enumeration 1878
Secret Data TypeName ValuePassword 00000001
Seed 00000002
Extensions 8XXXXXXX
Table 213: Secret Data Type Enumeration 1879
9.1.3.2.9 9.1.3.2.9 Opaque Data Type Enumeration 1880
Opaque Data TypeName ValueExtensions 8XXXXXXX
Table 214: Opaque Data Type Enumeration 1881
9.1.3.2.10 9.1.3.2.10 Name Type Enumeration 1882
Name TypeName ValueUninterpreted Text String 00000001
URI 00000002
Extensions 8XXXXXXX
Table 215: Name Type Enumeration 1883
9.1.3.2.11 9.1.3.2.11 Object Type Enumeration 1884
Object TypeName ValueCertificate 00000001
Symmetric Key 00000002
Public Key 00000003
Private Key 00000004
Split Key 00000005
Template 00000006
Secret Data 00000007
Opaque Object 00000008
Extensions 8XXXXXXX
Table 216: Object Type Enumeration 1885
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 120 of 176
9.1.3.2.12 9.1.3.2.12 Cryptographic Algorithm Enumeration 1886
Cryptographic AlgorithmName ValueDES 00000001
3DES 00000002
AES 00000003
RSA 00000004
DSA 00000005
ECDSA 00000006
HMAC-SHA1 00000007
HMAC-SHA224 00000008
HMAC-SHA256 00000009
HMAC-SHA384 0000000A
HMAC-SHA512 0000000B
HMAC-MD5 0000000C
DH 0000000D
ECDH 0000000E
ECMQV 0000000F
Extensions 8XXXXXXX
Table 217: Cryptographic Algorithm Enumeration 1887
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 121 of 176
9.1.3.2.13 9.1.3.2.13 Block Cipher Mode Enumeration 1888
Block Cipher ModeName ValueCBC 00000001
ECB 00000002
PCBC 00000003
CFB 00000004
OFB 00000005
CTR 00000006
CMAC 00000007
CCM 00000008
GCM 00000009
CBC-MAC 0000000A
XTS 0000000B
AESKeyWrapPadding 0000000C
NISTKeyWrap 0000000D
X9.102 AESKW 0000000E
X9.102 TDKW 0000000F
X9.102 AKW1 00000010
X9.102 AKW2 00000011
Extensions 8XXXXXXX
Table 218: Block Cipher Mode Enumeration 1889
9.1.3.2.14 9.1.3.2.14 Padding Method Enumeration 1890
Padding MethodName ValueNone 00000001
OAEP 00000002
PKCS5 00000003
SSL3 00000004
Zeros 00000005
ANSI X9.23 00000006
ISO 10126 00000007
PKCS1 v1.5 00000008
X9.31 00000009
PSS 0000000A
Extensions 8XXXXXXX
Table 219: Padding Method Enumeration 1891
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 122 of 176
9.1.3.2.15 9.1.3.2.15 Hashing Algorithm Enumeration 1892
Hashing AlgorithmName ValueMD2 00000001
MD4 00000002
MD5 00000003
SHA-1 00000004
SHA-224 00000005
SHA-256 00000006
SHA-384 00000007
SHA-512 00000008
Extensions 8XXXXXXX
Table 220: Hashing Algorithm Enumeration 1893
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 123 of 176
9.1.3.2.16 9.1.3.2.16 Key Role Type Enumeration 1894
Key Role TypeName ValueBDK 00000001
CVK 00000002
DEK 00000003
MKAC 00000004
MKSMC 00000005
MKSMI 00000006
MKDAC 00000007
MKDN 00000008
MKCP 00000009
MKOTH 0000000A
KEK 0000000B
MAC16609 0000000C
MAC97971 0000000D
MAC97972 0000000E
MAC97973 0000000F
MAC97974 00000010
MAC97975 00000011
ZPK 00000012
PVKIBM 00000013
PVKPVV 00000014
PVKOTH 00000015
Extensions 8XXXXXXX
Table 221: Key Role Type Enumeration 1895
Note that while the set and definitions of key role types are chosen to match TR-31 there is no necessity 1896 to match binary representations. 1897
9.1.3.2.17 9.1.3.2.17 State Enumeration 1898
StateName ValuePre-Active 00000001
Active 00000002
Deactivated 00000003
Compromised 00000004
Destroyed 00000005
Destroyed Compromised 00000006
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 124 of 176
Extensions 8XXXXXXX
Table 222: State Enumeration 1899
9.1.3.2.18 9.1.3.2.18 Revocation Reason Code Enumeration 1900
Revocation Reason CodeName ValueUnspecified 00000001
Key Compromise 00000002
CA Compromise 00000003
Affiliation Changed 00000004
Superseded 00000005
Cessation of Operation 00000006
Privilege Withdrawn 00000007
Extensions 8XXXXXXX
Table 223: Revocation Reason Code Enumeration 1901
9.1.3.2.19 9.1.3.2.19 Link Type Enumeration 1902
Link TypeName ValueCertificate Link 00000101
Public Key Link 00000102
Private Key Link 00000103
Derivation Base Object Link 00000104
Derived Key Link 00000105
Replacement Object Link 00000106
Replaced Object Link 00000107
Extensions 8XXXXXXX
Table 224: Link Type Enumeration 1903
Note: Link Types start at 101 to avoid any confusion with Object Types. 1904
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 125 of 176
9.1.3.2.20 9.1.3.2.20 Derivation Method Enumeration 1905
Derivation MethodName ValuePBKDF2 00000001
HASH 00000002
HMAC 00000003
ENCRYPT 00000004
NIST800-108-C 00000005
NIST800-108-F 00000006
NIST800-108-DPI 00000007
Extensions 8XXXXXXX
Table 225: Derivation Method Enumeration 1906
9.1.3.2.21 9.1.3.2.21 Certificate Request Type Enumeration 1907
Certificate Request TypeName ValueCRMF 00000001
PKCS#10 00000002
PEM 00000003
PGP 00000004
Extensions 8XXXXXXX
Table 226: Certificate Request Type Enumeration 1908
9.1.3.2.22 9.1.3.2.22 Validity Indicator Enumeration 1909
Validity IndicatorName ValueValid 00000001
Invalid 00000002
Unknown 00000003
Extensions 8XXXXXXX
Table 227: Validity Indicator Enumeration 1910
9.1.3.2.23 9.1.3.2.23 Query Function Enumeration 1911
Query FunctionName ValueQuery Operations 00000001
Query Objects 00000002
Query Server Information 00000003
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 126 of 176
Query Application Namespaces 00000004
Extensions 8XXXXXXX
Table 228: Query Function Enumeration 1912
9.1.3.2.24 9.1.3.2.24 Cancellation Result Enumeration 1913
Cancellation Result Name ValueCanceled 00000001
Unable to Cancel 00000002
Completed 00000003
Failed 00000004
Unavailable 00000005
Extensions 8XXXXXXX
Table 229: Cancellation Result Enumeration 1914
9.1.3.2.25 9.1.3.2.25 Put Function Enumeration 1915
Put Function Name ValueNew 00000001
Replace 00000002
Extensions 8XXXXXXX
Table 230: Put Function Enumeration 1916
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 127 of 176
9.1.3.2.26 9.1.3.2.26 Operation Enumeration 1917
OperationName ValueCreate 00000001
Create Key Pair 00000002
Register 00000003
Re-key 00000004
Derive Key 00000005
Certify 00000006
Re-certify 00000007
Locate 00000008
Check 00000009
Get 0000000A
Get Attributes 0000000B
Get Attribute List 0000000C
Add Attribute 0000000D
Modify Attribute 0000000E
Delete Attribute 0000000F
Obtain Lease 00000010
Get Usage Allocation 00000011
Activate 00000012
Revoke 00000013
Destroy 00000014
Archive 00000015
Recover 00000016
Validate 00000017
Query 00000018
Cancel 00000019
Poll 0000001A
Notify 0000001B
Put 0000001C
Extensions 8XXXXXXX
Table 231: Operation Enumeration 1918
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 128 of 176
9.1.3.2.27 9.1.3.2.27 Result Status Enumeration 1919
Result StatusName ValueSuccess 00000000
Operation Failed 00000001
Operation Pending 00000002
Operation Undone 00000003
Extensions 8XXXXXXX
Table 232: Result Status Enumeration 1920
9.1.3.2.28 9.1.3.2.28 Result Reason Enumeration 1921
Result ReasonName ValueItem Not Found 00000001
Response Too Large 00000002
Authentication Not Successful 00000003
Invalid Message 00000004
Operation Not Supported 00000005
Missing Data 00000006
Invalid Field 00000007
Feature Not Supported 00000008
Operation Canceled By Requester
00000009
Cryptographic Failure 0000000A
Illegal Operation 0000000B
Permission Denied 0000000C
Object archived 0000000D
Index Out of Bounds 0000000E
Application Namespace Not Supported
0000000F
Key Format Type and/or Key Compression Type Not Supported
00000010
General Failure 00000100
Extensions 8XXXXXXX
Table 233: Result Reason Enumeration 1922
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 129 of 176
9.1.3.2.29 9.1.3.2.29 Batch Error Continuation Enumeration 1923
Batch Error ContinuationName ValueContinue 00000001
Stop 00000002
Undo 00000003
Extensions 8XXXXXXX
Table 234: Batch Error Continuation Enumeration 1924
9.1.3.2.30 Usage Limits Unit Enumeration 1925
Usage Limits UnitName ValueByte 00000001
Object 00000002
Extensions 8XXXXXXX
Table 235: Usage Limits Unit Enumeration 1926
1927
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 108 pt + 216 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 130 of 176
9.1.3.3 9.1.3.3 Bit Masks 1928
9.1.3.3.1 9.1.3.3.1 Cryptographic Usage Mask 1929
Cryptographic Usage MaskName ValueSign 00000001
Verify 00000002
Encrypt 00000004
Decrypt 00000008
Wrap Key 00000010
Unwrap Key 00000020
Export 00000040
MAC Generate 00000080
MAC Verify 00000100
Derive Key 00000200
Content Commitment (Non Repudiation)
00000400
Key Agreement 00000800
Certificate Sign 00001000
CRL Sign 00002000
Generate Cryptogram 00004000
Validate Cryptogram 00008000
Translate Encrypt 00010000
Translate Decrypt 00020000
Translate Wrap 00040000
Translate Unwrap 00080000
Extensions XXX00000
Table 236: Cryptographic Usage Mask 1930
This list takes into consideration values which MAY appear in the Key Usage extension in an X.509 1931 certificate. 1932
9.1.3.3.2 9.1.3.3.2 Storage Status Mask 1933
Storage Status MaskName ValueOn-line storage 00000001
Archival storage 00000002
Extensions XXXXXXX0
Table 237: Storage Status Mask 1934
Formatted: Outline numbered + Level: 4 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 43.2 pt + Indent at: 43.2 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 72 pt + 144 pt
Formatted: Font: 12 pt
Formatted: Outline numbered + Level: 5 +Numbering Style: 1, 2, 3, … + Start at: 1 +Alignment: Left + Aligned at: 0 pt + Tab after: 50.4 pt + Indent at: 50.4 pt, Hyphenate, Don'tadjust space between Latin and Asian text, Tabstops: Not at 106.35 pt
Formatted: Font: 12 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 131 of 176
9.2 9.2 XML Encoding 1935
An XML Encoding has not yet been defined. 1936
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 132 of 176
10 10 Transport 1937
A KMIP Server SHALL establish and maintain channel confidentiality and integrity, and provide 1938 assurance ofprove server authenticity for KMIP messaging. 1939
If a KMIP Server uses TCP/IP for KMIP messaging, then it SHALL support SSL v3.1/TLS v1.0 [RFC 1940 2246] or later and may support other protocols as specified in [KMIP-Prof]. 1941
Formatted: Space Before: 24 pt, Outlinenumbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0 pt + Tab after: 21.6 pt + Indent at: 21.6 pt, Page break before, Hyphenate, Don'tadjust space between Latin and Asian text,Border: Top: (Single solid line, Gray-50%, 0.5pt Line width, From text: 6 pt Border spacing:), Tab stops: Not at 0 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 133 of 176
11 11 Error Handling 1942
This section details the specific Result Reasons that SHALL be returned for errors detected. 1943
11.1 11.1 General 1944
These errors MAY occur when any protocol message is received by the server or client (in response to 1945 server-to-client operations). 1946
Error Definition Action Result Reason
Protocol major version mismatch
Response message containing a header and a Batch Item without Operation, but with the Result Status field set to Operation Failed
Invalid Message
Error parsing batch item or payload within batch item
Batch item fails; Result Status is Operation Failed
Invalid Message
The same field is contained in a header/batch item/payload more than once
Result Status is Operation Failed
Invalid Message
Same major version, different minor versions; unknown fields/fields the server does not understand
Ignore unknown fields, process rest normally
N/A
Same major & minor version, unknown field
Result Status is Operation Failed
Invalid Field
Client is not allowed to perform the specified operation
Result Status is Operation Failed
Permission Denied
Operation is not able to be completed synchronously and client does not support asynchronous requests
Result Status is Operation Failed
Operation Not Supported
Maximum Response Size has been exceeded
Result Status is Operation Failed
Response Too Large
Server does not support operation
Result Status is Operation Failed
Operation Not Supported
The Criticality Indicator in a Message Extension structure is set to True, but the server does not understand the extension
Result Status is Operation Failed
Feature Not Supported
Table 238: General Errors 1947
Formatted: Space Before: 24 pt, Outlinenumbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0 pt + Tab after: 21.6 pt + Indent at: 21.6 pt, Page break before, Hyphenate, Don'tadjust space between Latin and Asian text,Border: Top: (Single solid line, Gray-50%, 0.5pt Line width, From text: 6 pt Border spacing:), Tab stops: Not at 0 pt
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted Table
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 134 of 176
11.2 11.2 Create 1948
Error Definition Result Status Result Reason
Object Type is not recognized Operation Failed Invalid Field
Templates that do not exist are given in request
Operation Failed Item Not Found
Incorrect attribute value(s) specified Operation Failed Invalid Field
Error creating cryptographic object Operation Failed Cryptographic Failure
Trying to set more instances than the server supports of an attribute that MAY have multiple instances
Operation Failed Index Out of Bounds
Trying to create a new object with the same Name attribute value as an existing object
Operation Failed Invalid Field
The particular Application Namespace is not supported, and Application Data cannot be generated if it was omitted from the client request
Operation Failed Application Namespace Not Supported
Template object is archived Operation Failed Object Archived
Table 239: Create Errors 1949
11.3 11.3 Create Key Pair 1950
Error Definition Result Status Result Reason
Templates that do not exist are given in request
Operation Failed Item Not Found
Incorrect attribute value(s) specified Operation Failed Invalid Field
Error creating cryptographic object Operation Failed Cryptographic Failure
Trying to create a new object with the same Name attribute value as an existing object
Operation Failed Invalid Field
Trying to set more instances than the server supports of an attribute that MAY have multiple instances
Operation Failed Index Out of Bounds
REQUIRED field(s) missing Operation Failed Invalid Message
The particular Application Namespace is not supported, and Application Data cannot be generated if it was omitted from the client request
Operation Failed Application Namespace Not Supported
Template object is archived Operation Failed Object Archived
Table 240: Create Key Pair Errors 1951
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 135 of 176
11.4 11.4 Register 1952
Error Definition Result Status Result Reason
Object Type is not recognized Operation Failed Invalid Field
Object Type does not match type of cryptographic object provided
Operation Failed Invalid Field
Templates that do not exist are given in request
Operation Failed Item Not Found
Incorrect attribute value(s) specified Operation Failed Invalid Field
Trying to register a new object with the same Name attribute value as an existing object
Operation Failed Invalid Field
Trying to set more instances than the server supports of an attribute that MAY have multiple instances
Operation Failed Index Out of Bounds
The particular Application Namespace is not supported, and Application Data cannot be generated if it was omitted from the client request
Operation Failed Application Namespace Not Supported
Template object is archived Operation Failed Object Archived
Table 241: Register Errors 1953
11.5 11.5 Re-key 1954
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Object specified is not able to be re-keyed
Operation Failed Permission Denied
Offset field is not permitted to be specified at the same time as any of the Activation Date, Process Start Date, Protect Stop Date, or Deactivation Date attributes
Operation Failed Invalid Message
Cryptographic error during re-key Operation Failed Cryptographic Failure
The particular Application Namespace is not supported, and Application Data cannot be generated if it was omitted from the client request
Operation Failed Application Namespace Not Supported
Object is archived Operation Failed Object Archived
An offset cannot be used to specify new Process Start, Protect Stop and/or Deactivation Date attribute values since no Activation Date has been specified
Operation Failed Illegal Operation
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 136 of 176
for the existing key
Table 242: Re-key Errors 1955
11.6 11.6 Derive Key 1956
Error Definition Result Status Result Reason
One or more of the objects specified do not exist
Operation Failed Item Not Found
One or more of the objects specified are not of the correct type
Operation Failed Invalid Field
Templates that do not exist are given in request
Operation Failed Item Not Found
Invalid Derivation Method Operation Failed Invalid Field
Invalid Derivation Parameters Operation Failed Invalid Field Ambiguous derivation data provided both with Derivation Data and Secret Data object.
Operation Failed Invalid Message
Incorrect attribute value(s) specified Operation Failed Invalid Field
One or more of the specified objects are not able to be used to derive a new key
Operation Failed Invalid Field
Trying to derive a new key with the same Name attribute value as an existing object
Operation Failed Invalid Field
The particular Application Namespace is not supported, and Application Data cannot be generated if it was omitted from the client request
Operation Failed Application Namespace Not Supported
One or more of the objects is archived Operation Failed Object Archived
The specified length exceeds the output of the derivation method or other cryptographic error during derivation.
Operation Failed Cryptographic Failure
Table 243: Derive Key Errors- 1957
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 137 of 176
11.7 11.7 Certify 1958
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Object specified is not able to be certified
Operation Failed Permission Denied
The Certificate Request does not contain a signed certificate request of the specified Certificate Request Type
Operation Failed Invalid Field
Server does not support operation Operation Failed Operation Not Supported
The particular Application Namespace is not supported, and Application Data cannot be generated if it was omitted from the client request
Operation Failed Application Namespace Not Supported
Object is archived Operation Failed Object Archived
Table 244: Certify Errors 1959
11.8 11.8 Re-certify 1960
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Object specified is not able to be certified
Operation Failed Permission Denied
The Certificate Request does not contain a signed certificate request of the specified Certificate Request Type
Operation Failed Invalid Field
Server does not support operation Operation Failed Operation Not Supported
Offset field is not permitted to be specified at the same time as any of the Activation Date or Deactivation Date attributes
Operation Failed Invalid Message
The particular Application Namespace is not supported, and Application Data cannot be generated if it was omitted from the client request
Operation Failed Application Namespace Not Supported
Object is archived Operation Failed Object Archived
Table 245: Re-certify Errors 1961
11.9 11.9 Locate 1962
Error Definition Result Status Result Reason
Non-existing attributes, attributes that Operation Failed Invalid Field
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 138 of 176
the server does not understand or templates that do not exist are given in the request
Table 246: Locate Errors 1963
11.10 11.10 Check 1964
Error Definition Result Status Result Reason
Object does not exist Operation Failed Item Not Found
Object is archived Operation Failed Object Archived
Check cannot be performed on this object
Operation Failed Illegal Operation
The client is not allowed to use the object according to the specified attributes
Operation Failed Permission Denied
Table 247: Check Errors 1965
11.11 11.11 Get 1966
Error Definition Result Status Result Reason
Object does not exist Operation Failed Item Not Found
Wrapping key does not exist Operation Failed Item Not Found
Object with EncryptionWrapping Key InformationID exists, but it is not a key
Operation Failed Illegal Operation
Object with EncryptionWrapping Key InformationID exists, but it is not able to be used for wrapping
Operation Failed Permission Denied
Object with MAC/Signature Key InformationID exists, but it is not a key
Operation Failed Illegal Operation
Object with MAC/Signature Key InformationID exists, but it is not able to be used for MACing/signing
Operation Failed Permission Denied
Object exists but cannot be provided in the desired Key Format Type and/or Key Compression Type
Operation Failed Key Format Type and/or Key Compression Type Not Supported
Object exists and is not a Template, but the server only has attributes for this object
Operation Failed Illegal Operation
Cryptographic Parameters associated with the object do not exist or do not match those provided in the Encryption Key Information and/or Signature Key Information
Operation Failed Item Not Found
Object is archived Operation Failed Object Archived
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted Table
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 139 of 176
Table 248: Get Errors 1967
11.12 11.12 Get Attributes 1968
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
An Attribute Index is specified, but no matching instance exists.
Operation Failed Item Not Found
Object is archived Operation Failed Object Archived
Table 249: Get Attributes Errors 1969
11.13 11.13 Get Attribute List 1970
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Object is archived Operation Failed Object Archived
Table 250: Get Attribute List Errors 1971
11.14 11.14 Add Attribute 1972
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Attempt to add a read-only attribute Operation Failed Permission Denied
Attempt to add an attribute that is not supported for this object
Operation Failed Permission Denied
The specified attribute already exists Operation Failed Illegal Operation
New attribute contains Attribute Index Operation Failed Invalid Field
Trying to add a Name attribute with the same value that another object already has
Operation Failed Illegal Operation
Trying to add a new instance to an attribute with multiple instances but the server limit on instances has been reached
Operation Failed Index Out of Bounds
The particular Application Namespace is not supported, and Application Data cannot be generated if it was omitted from the client request
Operation Failed Application Namespace Not Supported
Object is archived Operation Failed Object Archived
Table 251: Add Attribute Errors 1973
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 140 of 176
11.15 11.15 Modify Attribute 1974
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
A specified attribute does not exist (i.e., it needs to first be added)
Operation Failed Invalid Field
An Attribute Index is specified, but no matching instance exists.
Operation Failed Item Not Found
The specified attribute is read-only Operation Failed Permission Denied
Trying to set the Name attribute value to a value already used by another object
Operation Failed Illegal Operation
The particular Application Namespace is not supported, and Application Data cannot be generated if it was omitted from the client request
Operation Failed Application Namespace Not Supported
Object is archived Operation Failed Object Archived
Table 252: Modify Attribute Errors 1975
11.16 11.16 Delete Attribute 1976
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Attempt to delete a read-only/REQUIRED attribute
Operation Failed Permission Denied
Attribute Index is specified, but the attribute does not have multiple instances (i.e., no Attribute Index is permitted to be specified)
Operation Failed Item Not Found
No attribute with the specified name exists
Operation Failed Item Not Found
Object is archived Operation Failed Object Archived
Attribute Index is not specified and the attribute has multiple instances
Operation Failed Invalid Field
Table 253: Delete Attribute Errors 1977
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted Table
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 141 of 176
11.17 11.17 Obtain Lease 1978
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
The server determines that a new lease is not permitted to be issued for the specified cryptographic object
Operation Failed Permission Denied
Object is archived Operation Failed Object Archived
Table 254: Obtain Lease Errors 1979
11.18 11.18 Get Usage Allocation 1980
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Object has no Usage Limits attribute, or the object is not able to be used for applying cryptographic protection
Operation Failed Illegal Operation
NoBoth Usage Limits Byte Count isand Usage Limits Object Count fields are specified
Operation Failed Invalid Message
Neither the Byte Count or Object Count is specified
Operation Failed Invalid Message
A usage type (Byte Count or Object Count) is specified in the request, but the usage allocation for the object MAY only be given for the other type
Operation Failed Operation Not Supported
Object is archived Operation Failed Object Archived
The server was not able to grant the requested amount of usage allocation
Operation Failed Permission Denied
Table 255: Get Usage Allocation Errors 1981
11.19 11.19 Activate 1982
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Unique Identifier specifies a template or other object that is not able to be activated
Operation Failed Illegal Operation
Object is not in Pre-Active state Operation Failed Permission Denied
Object is archived Operation Failed Object Archived
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted Table
Formatted: Don't keep with next
Formatted Table
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 142 of 176
Table 256: Activate Errors 1983
11.20 11.20 Revoke 1984
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Revocation Reason is not recognized Operation Failed Invalid Field
Unique Identifier specifies a template or other object that is not able to be revoked
Operation Failed Illegal Operation
Object is archived Operation Failed Object Archived
Table 257: Revoke Errors 1985
11.21 11.21 Destroy 1986
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Object exists, but has already been destroyed
Operation Failed Permission Denied
Object is not in Pre-Active, Deactivated or Compromised state
Operation Failed Permission Denied
Object is archived Operation Failed Object Archived
Table 258: Destroy Errors 1987
11.22 11.22 Archive 1988
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Object is already archived Operation Failed Object Archived
Table 259: Archive Errors 1989
11.23 11.23 Recover 1990
Error Definition Result Status Result Reason
No object with the specified Unique Identifier exists
Operation Failed Item Not Found
Table 260: Recover Errors 1991
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 143 of 176
11.24 11.24 Validate 1992
Error Definition Result Status Result Reason
The combination of Certificate Objects and Unique Identifiers does not specify a certificate list
Operation Failed Invalid Message
One or more of the objects is archived Operation Failed Object Archived
Table 261: Validate Errors 1993
11.25 11.25 Query 1994
N/A 1995
11.26 11.26 Cancel 1996
N/A 1997
11.27 11.27 Poll 1998
Error Definition Result Status Result Reason
No outstanding operation with the specified Asynchronous Correlation Value exists
Operation Failed Item Not Found
Table 262: Poll Errors 1999
11.28 11.28 Batch Items 2000
These errors MAY occur when a protocol message with one or more batch items is processed by the 2001 server. If a message with one or more batch items was parsed correctly, then the response message 2002 SHOULD include response(s) to the batch item(s) in the request according to the table below. 2003
2004
Error Definition ActionResult Status Result Reason
Processing of batch item fails with Batch Error Continuation Option set to Stop
Batch item fails and Result Status is set to Operation Failed.. Responses to batch items that have already been processed are returned normally. Responses to batch items that have not been processed are not returned.
See tables above, referring to the operation being performed in the batch item that failed
Processing of batch item fails with Batch Error Continuation Option set to Continue
Batch item fails and Result Status is set to Operation Failed.. Responses to other batch items are returned normally.
See tables above, referring to the operation being performed in the batch item that failed
Processing of batch item fails with Batch Error Continuation Option set to Undo
Batch item fails and Result Status is set to Operation Failed.. Batch items that had been processed have been
See tables above, referring to the operation being performed in the batch item that failed
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 144 of 176
undone and their responses are returned with Undone result status.
Table 263: Batch Items Errors 2005
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 145 of 176
12 12 Server Baseline Implementation Conformance 2006
Profile 2007
The intention of the baseline conformance profile is for the minimal KMIP Server to support the 2008 mechanics of communication and to support a limited set of commands, such as query. The minimal 2009 KMIP Server would not need to support any particular algorithm – this would be the work of additional 2010 profiles. 2011 An implementation is a conforming KMIP Server if the implementation meets the conditions in Section 2012 12.112.1 . 2013 An implementation SHALL be a conforming KMIP Server. 2014 If an implementation claims support for a particular clause, then the implementation SHALL conform to all 2015 normative statements within that clause and any subclauses to that clause. 2016
12.1 12.1 Conformance clauses for a KMIP Server 2017
An implementation conforms to this specification as a KMIP Server if it meets the following conditions: 2018 1. Supports the following objects: 2019
a. Attribute (see 2.1.12.1.1 ) 2020 b. Credential (see 2.1.22.1.2 ) 2021 c. Key Block (see 2.1.32.1.3 ) 2022 d. Key Value (see 2.1.42.1.4 ) 2023 e. Template-Attribute Structure (see 2.1.82.1.8 ) 2024
2. Supports the following attributes: 2025 a. Unique Identifier (see 3.13.1 ) 2026 b. Name (see 3.23.2 ) 2027 c. Object Type (see 3.33.3 ) 2028 d. Cryptographic Algorithm (see 3.43.4 ) 2029 e. Cryptographic Length (see 3.53.5 ) 2030 f. Cryptographic Parameters (see 3.63.6 ) 2031 g. Digest (see 3.123.12 ) 2032 h. Default Operation Policy (see 3.13.23.13.2 ) 2033 i. Cryptographic Usage Mask (see 3.143.14 ) 2034 j. State (see 3.173.17 ) 2035 k. Initial Date (see 3.183.18 ) 2036 l. Activation Date (see 3.193.19 ) 2037 m. Deactivation Date (see 3.223.22 ) 2038 n. Compromise OccurrenceDestroy Date (see 3.233.2423 ) 2039 o. Compromise Occurrence Date (see 3.243.2524 ) 2040 o. Revocation Reason (see ) 2041 p. Compromise Date (see 3.253.2625 ) 2042 p. Last Change Date (see ) 2043 q. Revocation Reason (see 3.263.3226 ) 2044
r.3. Supports the ID PlaceholderArchive Date (see 443.27 ) 2045
Formatted: Space Before: 24 pt, Outlinenumbered + Level: 1 + Numbering Style: 1, 2,3, … + Start at: 1 + Alignment: Left + Alignedat: 0 pt + Tab after: 21.6 pt + Indent at: 21.6 pt, Page break before, Hyphenate, Don'tadjust space between Latin and Asian text,Border: Top: (Single solid line, Gray-50%, 0.5pt Line width, From text: 6 pt Border spacing:), Tab stops: Not at 0 pt
Formatted: No bullets or numbering,Hyphenate, Don't adjust space between Latinand Asian text, Tab stops: Not at 36 pt
Formatted: Font: Bold
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Formatted
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 146 of 176
a. Last Change Date (see 3.323.32 ) 2046 3.4. Supports the following client-to-server operations: 2047
a. Locate (see 4.84.8 ) 2048 b. Check (see 4.94.9 ) 2049 c. Get (see 4.104.10 ) 2050 d. Get Attribute (see 4.114.11 ) 2051 e. Get Attribute List (see 1.1 4.12 ) 2052 f. Add Attribute (see 4.134.13 ) 2053 g. Modify Attribute (see 4.144.14 ) 2054 h. Delete Attribute (see 4.154.15 ) 2055 i. Activate (see 1.2 4.18 ) 2056 j. Revoke (see 4.194.19 ) 2057 k. Destroy (see 1.3 4.20 ) 2058 l. Query (see 4.244.24 ) 2059
4.5. Supports the following message contents: 2060 a. Protocol Version (see 6.16.1 ) 2061 b. Operation (see 6.26.2 ) 2062 c. Maximum Response Size (see 6.36.3 ) 2063 d. Unique Batch Item ID (see 6.46.4 ) 2064 e. Time Stamp (see 6.56.5 ) 2065 f. Asynchronous Indicator (see 6.76.7 ) 2066 g. Result Status (see 6.96.9 ) 2067 h. Result Reason (see 6.106.10 ) 2068 h.i. Result Message (see 6.116.11 ) 2069 i.j. Batch Order Option (see 6.126.12 ) 2070 j.k. Batch Error Continuation Option (see 6.136.13 ) 2071 k.l. Batch Count (see 6.146.14 ) 2072 l.m. Batch Item (see 6.156.15 ) 2073
5.6. Supports Message Format (see 77 ) 2074 6.7. Supports Authentication (see 88 ) 2075 7.8. Supports the TTLV encoding (see 9.19.1 ) 2076 8.9. Supports the transport requirements (see 1010 ) 2077 9.10. Supports Error Handling (see 1111 ) for any supported object, attribute, or operation 2078 10.11. Optionally supports any clause within this specification that is not listed above 2079 11.12. Optionally supports extensions outside the scope of this standard (e.g., vendor 2080
extensions, conformance profiles) that do not contradict any requirements within this standard 2081 12.13. Supports at least one of the profiles defined in the KMIP Profiles Specification [KMIP-2082
Prof]. 2083
2084
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 147 of 176
A. Attribute Cross-reference 2085
The following table of Attribute names indicates the Managed Object(s) for which each attribute applies. 2086 This table is not normative. 2087
Attribute Name Managed Object
Cer
tific
ate
Sym
met
ric K
ey
Publ
ic K
ey
Priv
ate
Key
Split
Key
Tem
plat
e
Secr
et D
ata
Opa
que
Obj
ect
Unique Identifier x x x x x x x x
Name x x x x x x x x
Object Type x x x x x x x x
Cryptographic Algorithm x x x x x x
Cryptographic Domain Parameters x x x
Cryptographic Length x x x x x x
Cryptographic Parameters x x x x x x
Certificate Type x
Certificate Identifier x
Certificate Issuer x
Certificate Subject x
Digest x x x x x x
Operation Policy Name x x x x x x x x
Cryptographic Usage Mask x x x x x x x
Lease Time x x x x x x x
Usage Limits x x x x x
State x x x x x x
Initial Date x x x x x x x x
Activation Date x x x x x x x
Process Start Date x x x
Protect Stop Date x x x
Deactivation Date x x x x x x x x
Destroy Date x x x x x x x
Compromise Occurrence Date x x x x x x x
Compromise Date x x x x x x x
Revocation Reason x x x x x x x
Archive Date x x x x x x x x
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 148 of 176
Attribute Name Managed Object
Object Group x x x x x x x x
Link x x x x x x
Application Specific Information x x x x x x x x
Contact Information x x x x x x x x
Last Change Date x x x x x x x x
Custom Attribute x x x x x x x x
Table 264: Attribute Cross-reference 2088
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 149 of 176
B. Tag Cross-reference 2089
This table is not normative. 2090
Object Defined Type Notes Activation Date 3.193.19 Date-Time Application Data 3.303.30 Text String Application Namespace 3.303.30 Text String
Application Specific Information 3.303.30 Structure Archive Date 3.273.27 Date-Time
Asynchronous Correlation Value 6.86.8 Byte String Asynchronous Indicator 6.76.7 Boolean Attribute 2.1.12.1.1 Structure Attribute Index 2.1.12.1.1 Integer
Attribute Name 2.1.12.1.1 Text String Attribute Value 2.1.12.1.1 * type varies Authentication 6.66.6 Structure Batch Count 6.146.14 Integer
Batch Error Continuation Option 6.136.13 , , 9.1.3.2.299.1.3.2.29 Enumeration
Batch Item 6.156.15 Structure Batch Order Option 6.126.12 Boolean
Block Cipher Mode 3.63.6 , , 9.1.3.2.139.1.3.2.13 Enumeration
Cancellation Result 4.254.25 , , 9.1.3.2.249.1.3.2.24 Enumeration
Certificate 2.2.12.2.1 Structure
Certificate Identifier 3.93.9 Structure Certificate Issuer 3.93.9 Structure Certificate Issuer Alternative Name 3.113.11 Text String Certificate Issuer Distinguished Name 3.113.11 Text String
Certificate Request 4.64.6 , , 4.74.7 Byte String
Certificate Request Type 4.64.6 , , 4.74.7 , , 9.1.3.2.219.1.3.2.21 Enumeration
Certificate Subject 3.103.10 Structure Certificate Subject Alternative Name 3.103.10 Text String Certificate Subject Distinguished Name 3.103.10 Text String
Certificate Type 2.2.12.2.1 , , 3.83.8 , , 9.1.3.2.69.1.3.2.6 Enumeration
Certificate Value 2.2.12.2.1 Byte String Common Template-Attribute 2.1.82.1.8 Structure
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 150 of 176
Object Defined Type Notes Compromise Occurrence Date 3.243.24 Date-Time
Compromise Date 3.253.25 Date-Time Contact Information 3.313.31 Text String
Credential 2.1.22.1.2 Structure
Credential Type 2.1.22.1.2 , , 9.1.3.2.19.1.3.2.1 Enumeration
Credential Value 2.1.22.1.2 *Byte String type varies Criticality Indicator 6.166.16 Boolean
CRT Coefficient 2.1.72.1.7 Big Integer
Cryptographic Algorithm 3.43.4 , , 9.1.3.2.129.1.3.2.12 Enumeration
Cryptographic Length 3.53.5 Integer
Cryptographic Parameters 3.63.6 Structure
Cryptographic Usage Mask 3.143.14 , , 9.1.3.3.19.1.3.3.1 Integer Bit mask
Custom Attribute 3.333.33 * type varies D 2.1.72.1.7 Big Integer Deactivation Date 3.223.22 Date-Time Derivation Data 4.54.5 Byte String
Derivation Method 4.54.5 , , 9.1.3.2.209.1.3.2.20 Enumeration
Derivation Parameters 4.54.5 Structure Destroy Date 3.233.23 Date-Time Digest 3.123.12 Structure Digest Value 3.123.12 Byte String
Encryption Key Information 2.1.52.1.5 Structure Extensions 9.1.39.1.3
G 2.1.72.1.7 Big Integer
Hashing Algorithm 3.63.6 , , 3.123.12 , , 9.1.3.2.159.1.3.2.15 Enumeration
Initial Date 3.183.18 Date-Time Initialization Vector 4.54.5 Byte String
Issuer 3.93.9 Text String Iteration Count 4.54.5 Integer IV/Counter/Nonce 2.1.52.1.5 Byte String J 2.1.72.1.7 Big Integer
Key 2.1.72.1.7 Byte String Key Block 2.1.32.1.3 Structure
Key Compression Type 9.1.3.2.29.1.3.2.2 Enumeration
Key Format Type 2.1.42.1.4 , , 9.1.3.2.39.1.3.2.3 Enumeration
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 151 of 176
Object Defined Type Notes
Key Material 2.1.42.1.4 , , 2.1.72.1.7 Byte String / Structure
Key Part Identifier 2.2.52.2.5 Integer
Key Role TypeValue 3.63.62.1.4 , 9.1.3.2.16 EnumerationByte String / Structure
Key ValueWrapping Data 2.1.42.1.45 Byte String / Structure
Key Wrapping DataSpecification 2.1.52.1.56 Structure Key Wrapping SpecificationLast Change Date 2.1.62.1.63.32 StructureDate-
Time
Last Change DateLease Time 3.323.3215 Date-TimeInterval
Lease TimeLink 3.153.1529 IntervalStructure
Link Type 3.293.29 , 9.1.3.2.199.1.3.2.19
StructureEnumeration
Link TypeLinked Object Identifier 3.293.29 , 9.1.3.2.19 EnumerationText String
Linked Object IdentifierMAC/Signature 3.293.292.1.5 TextByte String
MAC/Signature Key Information 2.1.52.1.5 ByteText String MAC/Signature Key InformationMaximum Items 2.1.52.1.54.8 Text StringInteger
Maximum ItemsResponse Size 4.84.86.3 Integer Maximum Response SizeMessage Extension 6.36.316 IntegerStructure
Message ExtensionModulus 6.166.162.1.7 StructureBig Integer
ModulusName 2.1.73.2.1.7 Big IntegerStructure
Name Type 3.23.2 , 9.1.3.2.109.1.3.2.10
StructureEnumeration
Name TypeValue 3.23.2 , 9.1.3.2.10 EnumerationText String
Name ValueObject Group 3.23.28 Text String
Object GroupType 3.283.283 , 9.1.3.2.119.1.3.2.11
Text StringEnumeration
Object TypeOffset 3.33.34.4 , , 9.1.3.2.119.1.3.2.114.7
EnumerationInterval
OffsetOpaque Data Type 4.44.42.2.8 , , 4.74.79.1.3.2.9
IntervalEnumeration
Opaque Data TypeValue 2.2.82.2.8 , 9.1.3.2.9 EnumerationByte String
Opaque Data ValueObject 2.2.82.2.8 Byte StringStructure
Opaque ObjectOperation 2.2.86.2.2.8 , 9.1.3.2.269.1.3.2.26
StructureEnumeration
Operation Policy Name 6.26.23.13 , 9.1.3.2.26 EnumerationText String
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 152 of 176
Object Defined Type Notes
Operation Policy NameP 3.133.132.1.7 Text StringBig Integer
Padding Method 2.1.72.1.73.6 , 9.1.3.2.149.1.3.2.14
Big IntegerEnumeration
PasswordPrime Exponent P 2.1.22.1.27 Text StringBig Integer
Padding MethodPrime Exponent Q 3.63.62.1.7 , 9.1.3.2.14 EnumerationBig Integer
Prime Exponent PField Size 2.1.72.1.72.5 Big Integer PrimePrivate Exponent Q 2.1.72.1.7 Big Integer
Prime Field SizePrivate Key 2.2.52.2.54 Big IntegerStructure
Private ExponentKey Template-Attribute 2.1.72.1.78 Big
IntegerStructure
Private Key Unique Identifier 2.2.44.2.2.4 StructureText String
Private Key Template-AttributeProcess Start Date 2.1.82.1.83.20 StructureDate-
Time
Private Key Unique IdentifierProtect Stop Date 4.24.23.21 Text StringDate-
Time
Process Start DateProtocol Version 3.203.206.1 Date-TimeStructure
Protect Stop DateProtocol Version Major 3.213.216.1 Date-TimeInteger
Protocol Version Minor 6.16.1 StructureInteger Protocol Version MajorPublic Exponent 6.162.1.7 Big Integer
Protocol Version MinorPublic Key 6.16.12.2.3 IntegerStructure Public ExponentKey Template-Attribute 2.1.72.1.78 Big
IntegerStructure
Public Key Unique Identifier 2.2.34.2.2.3 StructureText String
Public Key Template-AttributePut Function
2.1.85.2.1.8 , 9.1.3.2.259.1.3.2.25
StructureEnumeration
Public Key Unique IdentifierQ 4.24.2.1.7 Text StringBig Integer
Put FunctionQ String 5.25.2.1.7 , 9.1.3.2.25 EnumerationByte String
Qlength 2.1.72.13.7 Big Integer
Q StringQuery Function 2.1.72.1.74.24 , 9.1.3.2.239.1.3.2.23
Byte StringEnumeration
QlengthRecommended Curve 3.732.1.7 , 3.73.7 , 9.1.3.2.59.1.3.2.5
IntegerEnumeration
Query FunctionReplaced Unique Identifier
4.244.245.2 , 9.1.3.2.23
EnumerationText String
Recommended CurveRequest Header
2.1.77.2.1.7 , , 3.77.3.7 , 9.1.3.2.5
EnumerationStructure
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Formatted
Formatted: Don't adjust space between Latinand Asian text
Field Code Changed
Field Code Changed
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 153 of 176
Object Defined Type Notes Replaced Unique IdentifierRequest Message 5.25.27.1 Text
StringStructure
Request HeaderPayload 7.27.24 , 55 , 7.27.2 , 6.1 7.3 Structure
Request MessageResponse Header 7.17.12 , 6.1 7.3 Structure
Request PayloadResponse Message 447.1 , 5, 7.2 Structure
Response HeaderPayload 7.27.24 , 7.27.2 , 6.1 7.3 Structure
ResponseResult Message 7.17.16.11 StructureText String
Response PayloadResult Reason 446.10 , , 7.279.1.3.2.28
StructureEnumeration
Result MessageStatus 6.116.119 , 9.1.3.2.279.1.3.2.27
Text StringEnumeration
Result ReasonRevocation Message 6.106.103.26 , 9.1.3.2.28
EnumerationText String
Result StatusRevocation Reason 6.96.93.26 , 9.1.3.2.27 EnumerationStructure
Revocation MessageReason Code 3.263.26 , 9.1.3.2.189.1.3.2.18
Text StringEnumeration
Revocation ReasonRole Type 3.263.266 , 9.1.3.2.169.1.3.2.16
StructureEnumeration
Revocation Reason CodeSalt 3.263.264.5 , 9.1.3.2.18
EnumerationByte String
SaltSecret Data 4.54.52.2.7 Byte StringStructure
Secret Data Type 2.2.72.2.7 , 9.1.3.2.89.1.3.2.8
StructureEnumeration
Secret Data TypeSerial Number 2.2.72.2.73.9 , 9.1.3.2.8
EnumerationText String
Serial NumberServer Information 3.93.94.24 Text StringStructure
contents vendor-specific
Server InformationSplit Key 4.244.242.2.5 Structure contents vendor-specific
Split Key Method 2.2.52.2.5 , 9.1.3.2.79.1.3.2.7
StructureEnumeration
Split Key MethodParts 2.2.52.2.5 , 9.1.3.2.7 EnumerationInteger
Split Key PartsThreshold 2.2.52.2.5 Integer
Split Key ThresholdState 2.2.52.2.53.17 , 9.1.3.2.179.1.3.2.17
IntegerEnumeration
StateStorage Status Mask 3.173.174.8 , , 9.1.3.2.179.1.3.3.2.17
EnumerationInteger Bit mask
Storage Status MaskSymmetric Key 4.84.82.2.2 , 9.1.3.3.2 IntegerStructure Bit mask Symmetric KeyTemplate 2.2.22.2.26 Structure Template-Attribute 2.2.62.2.61.8 Structure
Formatted
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 154 of 176
Object Defined Type Notes
Template-AttributeTime Stamp 2.1.82.1.86.5 StructureDate-Time
Time StampTransparent* 6.56.52.1.7 Date-TimeStructure
Transparent*Unique Identifier 2.1.723.1.7 StructureText String
Unique IdentifierBatch Item ID 3.13.16.4 TextByte String
Unique Batch Item IDUsage Limits 6.46.43.16 Byte StringStructure
UsernameUsage Limits Byte Count 2.1.22.1.23.16 Text StringBig Integer
Usage Limits Object Count 3.163.16 StructureBig Integer
Usage Limits CountTotal Bytes 3.163.16 LongBig Integer Usage Limits Total Objects 3.163.16 LongBig Integer
Usage Limits UnitValidity Date 3.163.164.23 EnumerationDate-Time
Validity DateIndicator 4.234.23 , 9.1.3.2.229.1.3.2.22
Date-TimeEnumeration
Validity IndicatorVendor Extension 4.234.236.16 , 9.1.3.2.22
EnumerationStructure
contents vendor-specific
Vendor ExtensionIdentification 6.166.164.24 , 6.166.16
StructureText String
contents vendor-specific
Vendor IdentificationWrapping Method
4.244.242.1.5 , , 6.166.169.1.3.2.4
Text StringEnumeration
Wrapping MethodX 2.1.52.1.57 , 9.1.3.2.4 EnumerationBig Integer
XY 2.1.72.1.7 Big Integer Y 2.1.7 Big Integer
Table 265: Tag Cross-reference 2091
2092
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Field Code Changed
Formatted: Don't keep with next
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 155 of 176
C. Operation and Object Cross-reference 2093
The following table indicates the types of Managed Object(s) that each Operation accepts as input or 2094 provides as output. This table is not normative. 2095
Operation Managed Objects
Certificate Symmetric Key
Public Key
Private Key
Split Key Template Secret Data
Opaque Object
Create N/A Y N/A N/A N/A Y N/A N/A
Create Key Pair N/A N/A Y Y N/A N/A N/A N/A
Register Y Y Y Y Y Y Y Y
Re-Key N/A Y N/A N/A N/A Y N/A N/A
Derive Key N/A Y N/A N/A N/A Y Y N/A
Certify Y N/A Y N/A N/A Y N/A N/A
Re-certify Y N/A N/A N/A N/A Y N/A N/A
Locate Y Y Y Y Y Y Y Y
Check Y Y Y Y Y N/A Y Y
Get Y Y Y Y Y Y Y Y
Get Attributes Y Y Y Y Y Y Y Y
Get Attribute List Y Y Y Y Y Y Y Y
Add Attribute Y Y Y Y Y Y Y Y
Modify Attribute Y Y Y Y Y Y Y Y
Delete Attribute Y Y Y Y Y Y Y Y
Obtain Lease Y Y Y Y Y N/A Y N/A
Get Usage Allocation
N/A Y Y Y N/A N/A N/A N/A
Activate Y Y Y Y Y N/A Y N/A
Revoke Y Y N/A Y Y N/A Y Y
Destroy Y Y Y Y Y Y Y Y
Archive Y Y Y Y Y Y Y Y
Recover Y Y Y Y Y Y Y Y
Validate Y N/A N/A N/A N/A N/A N/A N/A
Query N/A N/A N/A N/A N/A N/A N/A N/A
Cancel N/A N/A N/A N/A N/A N/A N/A N/A
Poll N/A N/A N/A N/A N/A N/A N/A N/A
Notify N/A N/A N/A N/A N/A N/A N/A N/A
Put Y Y Y Y Y Y Y Y
Table 266: Operation and Object Cross-reference 2096
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 156 of 176
D. Acronyms 2097
The following abbreviations and acronyms are used in this document: 2098
3DES - Triple Data Encryption Standard specified in ANSI X9.52 2099
AES - Advanced Encryption Standard specified in FIPS 197 2100
ASN.1 - Abstract Syntax Notation One specified in ITU-T X.680 2101
BDK - Base Derivation Key specified in ANSI X9 TR-31 2102
CA - Certification Authority 2103
CBC - Cipher Block Chaining 2104
CCM - Counter with CBC-MAC specified in NIST SP 800-38C 2105
CFB - Cipher Feedback specified in NIST SP 800-38A 2106
CMAC - Cipher-based MAC specified in NIST SP 800-38B 2107
CMC - Certificate Management Messages over CMS specified in RFC 5275 2108
CMP - Certificate Management Protocol specified in RFC 4210 2109
CPU - Central Processing Unit 2110
CRL - Certificate Revocation List specified in RFC 5280 2111
CRMF - Certificate Request Message Format specified in RFC 4211 2112
CRT - Chinese Remainder Theorem 2113
CTR - Counter specified in NIST SP 800-38A 2114
CVK - Card Verification Key specified in ANSI X9 TR-31 2115
DEK - Data Encryption Key 2116
DER - Distinguished Encoding Rules specified in ITU-T X.690 2117
DES - Data Encryption Standard specified in FIPS 46-3 2118
DH - Diffie-Hellman specified in ANSI X9.42 2119
DNS - Domain Name Server 2120
DSA - Digital Signature Algorithm specified in FIPS 186-3 2121
DSKPP - Dynamic Symmetric Key Provisioning Protocol 2122
ECB - Electronic Code Book 2123
ECDH - Elliptic Curve Diffie-Hellman specified in ANSI X9.63 and NIST SP 800-56A 2124
ECDSA - Elliptic Curve Digital Signature Algorithm specified in ANSX9.62 2125
ECMQV - Elliptic Curve Menezes Qu Vanstone specified in ANSI X9.63 and NIST SP 800-56A 2126
FFC - Finite Field Cryptography 2127
FIPS - Federal Information Processing Standard 2128
GCM - Galois/Counter Mode specified in NIST SP 800-38D 2129
GF - Galois field (or finite field) 2130
HMAC - Keyed-Hash Message Authentication Code specified in FIPS 198-1 and RFC 2104 2131
HTTP - Hyper Text Transfer Protocol 2132
HTTP(S) - Hyper Text Transfer Protocol (Secure socket) 2133
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 157 of 176
IEEE - Institute of Electrical and Electronics Engineers 2134
IETF - Internet Engineering Task Force 2135
IP - Internet Protocol 2136
IPsec - Internet Protocol Security 2137
IV - Initialization Vector 2138
KEK - Key Encryption Key 2139
KMIP - Key Management Interoperability Protocol 2140
MAC - Message Authentication Code 2141
MKAC - EMV/chip card Master Key: Application Cryptograms specified in ANSI X9 TR-31 2142
MKCP - EMV/chip card Master Key: Card Personalization specified in ANSI X9 TR-31 2143
MKDAC - EMV/chip card Master Key: Data Authentication Code specified in ANSI X9 TR-31 2144
MKDN - EMV/chip card Master Key: Dynamic Numbers specified in ANSI X9 TR-31 2145
MKOTH - EMV/chip card Master Key: Other specified in ANSI X9 TR-31 2146
MKSMC - EMV/chip card Master Key: Secure Messaging for Confidentiality specified in X9 TR-31 2147
MKSMI - EMV/chip card Master Key: Secure Messaging for Integrity specified in ANSI X9 TR-31 2148
MD2 - Message Digest 2 Algorithm specified in RFC 1319 2149
MD4 - Message Digest 4 Algorithm specified in RFC 1320 2150
MD5 - Message Digest 5 Algorithm specified in RFC 1321 2151
NIST - National Institute of Standards and Technology 2152
OAEP - Optimal Asymmetric Encryption Padding specified in PKCS#1 2153
OFB - Output Feedback specified in NIST SP 800-38A 2154
PBKDF2 - Password-Based Key Derivation Function 2 specified in RFC 2898 2155
PCBC - Propagating Cipher Block Chaining 2156
PEM - Privacy Enhanced Mail specified in RFC 1421 2157
PGP - Pretty Good Privacy specified in RFC 1991 2158
PKCS - Public-Key Cryptography Standards 2159
PKCS#1 - RSA Cryptography Specification Version 2.1 specified in RFC 3447 2160
PKCS#5 - Password-Based Cryptography Specification Version 2 specified in RFC 2898 2161
PKCS#8 - Private-Key Information Syntax Specification Version 1.2 specified in RFC 5208 2162
PKCS#10 - Certification Request Syntax Specification Version 1.7 specified in RFC 2986 2163
POSIX - Portable Operating System Interface 2164
RFC - Request for Comments documents of IETF 2165
RSA - Rivest, Shamir, Adelman (an algorithm) 2166
SCEP - Simple Certificate Enrollment Protocol 2167
SCVP - Server-based Certificate Validation Protocol 2168
SHA - Secure Hash Algorithm specified in FIPS 180-2 2169
SP - Special Publication 2170
SSL/TLS - Secure Sockets Layer/Transport Layer Security 2171
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 158 of 176
S/MIME - Secure/Multipurpose Internet Mail Extensions 2172
TDEA - see 3DES 2173
TCP - Transport Control Protocol 2174
TTLV - Tag, Type, Length, Value 2175
URI - Uniform Resource Identifier 2176
UTC - Universal Time Coordinated 2177
UTF - Universal Transformation Format 8-bit specified in RFC 3629 2178
XKMS - XML Key Management Specification 2179
XML - Extensible Markup Language 2180
XTS - XEX Tweakable Block Cipher with Ciphertext Stealing specified in NIST SP 800-38E 2181
X.509 - Public Key Certificate specified in RFC 5280 2182
ZPK - PIN Block Encryption Key specified in ANSI X9 TR-31 2183
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 159 of 176
E. List of Figures and Tables 2184
Figure 1: Cryptographic Object States and Transitions .............................................................................. 52 2185 Figure 1: Cryptographic Object States and Transitions .............................................................................. 43 2186 2187 Table 1: Terminology .................................................................................................................................. 15 2188 Table 2: Attribute Object Structure .............................................................................................................. 19 2189 Table 3: Credential Object Structure ........................................................................................................... 20 2190 Table 4: Credential Value Structure for the Username and Password Credential ..................................... 20 2191 Table 5: Key Block Object Structure ........................................................................................................... 21 2192 Table 6: Key Value Object Structure ........................................................................................................... 22 2193 Table 7: Key Wrapping Data Object Structure ............................................................................................ 23 2194 Table 8: Encryption Key Information Object Structure ................................................................................ 23 2195 Table 9: MAC/Signature Key Information Object Structure ........................................................................ 23 2196 Table 10: Key Wrapping Specification Object Structure ............................................................................. 24 2197 Table 11: Parameter mapping. ................................................................................................................... 25 2198 Table 12: Key Material Object Structure for Transparent Symmetric Keys ................................................ 25 2199 Table 13: Key Material Object Structure for Transparent DSA Private Keys ............................................. 26 2200 Table 14: Key Material Object Structure for Transparent DSA Public Keys ............................................... 26 2201 Table 15: Key Material Object Structure for Transparent RSA Private Keys ............................................. 26 2202 Table 16: Key Material Object Structure for Transparent RSA Public Keys ............................................... 27 2203 Table 17: Key Material Object Structure for Transparent DH Private Keys ................................................ 27 2204 Table 18: Key Material Object Structure for Transparent DH Public Keys ................................................. 27 2205 Table 19: Key Material Object Structure for Transparent ECDSA Private Keys ........................................ 28 2206 Table 20: Key Material Object Structure for Transparent ECDSA Public Keys .......................................... 28 2207 Table 21: Key Material Object Structure for Transparent ECDH Private Keys ........................................... 28 2208 Table 22: Key Material Object Structure for Transparent ECDH Public Keys ............................................ 29 2209 Table 23: Key Material Object Structure for Transparent ECMQV Private Keys ........................................ 29 2210 Table 24: Key Material Object Structure for Transparent ECMQV Public Keys ......................................... 29 2211 Table 25: Template-Attribute Object Structure ........................................................................................... 30 2212 Table 26: Certificate Object Structure ......................................................................................................... 30 2213 Table 27: Symmetric Key Object Structure ................................................................................................. 30 2214 Table 28: Public Key Object Structure ........................................................................................................ 31 2215 Table 29: Private Key Object Structure ....................................................................................................... 31 2216 Table 30: Split Key Object Structure ........................................................................................................... 31 2217 Table 31: Template Object Structure .......................................................................................................... 33 2218 Table 32: Secret Data Object Structure ...................................................................................................... 33 2219 Table 33: Opaque Object Structure ............................................................................................................ 34 2220 Table 34: Attribute Rules ............................................................................................................................. 36 2221 Table 35: Unique Identifier Attribute ........................................................................................................... 36 2222 Table 36: Unique Identifier Attribute Rules ................................................................................................. 37 2223
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 160 of 176
Table 37: Name Attribute Structure ............................................................................................................ 37 2224 Table 38: Name Attribute Rules .................................................................................................................. 37 2225 Table 39: Object Type Attribute .................................................................................................................. 38 2226 Table 40: Object Type Attribute Rules ........................................................................................................ 38 2227 Table 41: Cryptographic Algorithm Attribute ............................................................................................... 38 2228 Table 42: Cryptographic Algorithm Attribute Rules ..................................................................................... 38 2229 Table 43: Cryptographic Length Attribute ................................................................................................... 39 2230 Table 44: Cryptographic Length Attribute Rules ......................................................................................... 39 2231 Table 45: Cryptographic Parameters Attribute Structure ............................................................................ 39 2232 Table 46: Cryptographic Parameters Attribute Rules ................................................................................. 40 2233 Table 47: Key Role Types ........................................................................................................................... 40 2234 Table 48: Cryptographic Domain Parameters Attribute Structure .............................................................. 41 2235 Table 49: Cryptographic Domain Parameters Attribute Rules .................................................................... 41 2236 Table 50: Certificate Type Attribute ............................................................................................................ 41 2237 Table 51: Certificate Type Attribute Rules .................................................................................................. 42 2238 Table 52: Certificate Identifier Attribute Structure ....................................................................................... 42 2239 Table 53: Certificate Identifier Attribute Rules ............................................................................................ 42 2240 Table 54: Certificate Subject Attribute Structure ......................................................................................... 43 2241 Table 55: Certificate Subject Attribute Rules .............................................................................................. 43 2242 Table 56: Certificate Issuer Attribute Structure ........................................................................................... 43 2243 Table 57: Certificate Issuer Attribute Rules ................................................................................................ 44 2244 Table 58: Digest Attribute Structure ............................................................................................................ 44 2245 Table 59: Digest Attribute Rules ................................................................................................................. 45 2246 Table 60: Operation Policy Name Attribute ................................................................................................. 45 2247 Table 61: Operation Policy Name Attribute Rules ...................................................................................... 45 2248 Table 62: Default Operation Policy for Secret Objects ............................................................................... 47 2249 Table 63: Default Operation Policy for Certificates and Public Key Objects .............................................. 47 2250 Table 64: Default Operation Policy for Private Template Objects .............................................................. 48 2251 Table 65: Default Operation Policy for Public Template Objects ................................................................ 48 2252 Table 66: X.509 Key Usage to Cryptographic Usage Mask Mapping ........................................................ 49 2253 Table 67: Cryptographic Usage Mask Attribute .......................................................................................... 49 2254 Table 68: Cryptographic Usage Mask Attribute Rules ................................................................................ 50 2255 Table 69: Lease Time Attribute ................................................................................................................... 50 2256 Table 70: Lease Time Attribute Rules ......................................................................................................... 50 2257 Table 71: Usage Limits Attribute Structure ................................................................................................. 51 2258 Table 72: Usage Limits Attribute Rules ....................................................................................................... 52 2259 Table 73: State Attribute ............................................................................................................................. 54 2260 Table 74: State Attribute Rules ................................................................................................................... 54 2261 Table 75: Initial Date Attribute ..................................................................................................................... 54 2262 Table 76: Initial Date Attribute Rules .......................................................................................................... 54 2263 Table 77: Activation Date Attribute ............................................................................................................. 55 2264 Table 78: Activation Date Attribute Rules ................................................................................................... 55 2265
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 161 of 176
Table 79: Process Start Date Attribute ....................................................................................................... 55 2266 Table 80: Process Start Date Attribute Rules ............................................................................................. 56 2267 Table 81: Protect Stop Date Attribute ......................................................................................................... 56 2268 Table 82: Protect Stop Date Attribute Rules ............................................................................................... 57 2269 Table 83: Deactivation Date Attribute ......................................................................................................... 57 2270 Table 84: Deactivation Date Attribute Rules ............................................................................................... 57 2271 Table 85: Destroy Date Attribute ................................................................................................................. 57 2272 Table 86: Destroy Date Attribute Rules ...................................................................................................... 58 2273 Table 87: Compromise Occurrence Date Attribute ..................................................................................... 58 2274 Table 88: Compromise Occurrence Date Attribute Rules ........................................................................... 58 2275 Table 89: Compromise Date Attribute ......................................................................................................... 58 2276 Table 90: Compromise Date Attribute Rules .............................................................................................. 59 2277 Table 91: Revocation Reason Attribute Structure ...................................................................................... 59 2278 Table 92: Revocation Reason Attribute Rules ............................................................................................ 59 2279 Table 93: Archive Date Attribute ................................................................................................................. 60 2280 Table 94: Archive Date Attribute Rules ....................................................................................................... 60 2281 Table 95: Object Group Attribute ................................................................................................................ 60 2282 Table 96: Object Group Attribute Rules ...................................................................................................... 60 2283 Table 97: Link Attribute Structure ............................................................................................................... 61 2284 Table 98: Link Attribute Structure Rules ..................................................................................................... 61 2285 Table 99: Application Specific Information Attribute ................................................................................... 62 2286 Table 100: Application Specific Information Attribute Rules ....................................................................... 62 2287 Table 101: Contact Information Attribute .................................................................................................... 62 2288 Table 102: Contact Information Attribute Rules .......................................................................................... 63 2289 Table 103: Last Change Date Attribute ....................................................................................................... 63 2290 Table 104: Last Change Date Attribute Rules ............................................................................................ 63 2291 Table 105 Custom Attribute ........................................................................................................................ 64 2292 Table 106: Custom Attribute Rules ............................................................................................................. 64 2293 Table 107: Create Request Payload ........................................................................................................... 66 2294 Table 108: Create Response Payload ........................................................................................................ 66 2295 Table 109: Create Attribute Requirements ................................................................................................. 66 2296 Table 110: Create Key Pair Request Payload ............................................................................................ 67 2297 Table 111: Create Key Pair Response Payload ......................................................................................... 67 2298 Table 112: Create Key Pair Attribute Requirements ................................................................................... 68 2299 Table 113: Register Request Payload ........................................................................................................ 68 2300 Table 114: Register Response Payload ..................................................................................................... 69 2301 Table 115: Register Attribute Requirements ............................................................................................... 69 2302 Table 116: Computing New Dates from Offset during Re-key .................................................................... 70 2303 Table 117: Re-key Attribute Requirements ................................................................................................. 71 2304 Table 118: Re-key Request Payload .......................................................................................................... 71 2305 Table 119: Re-key Response Payload ....................................................................................................... 71 2306 Table 120: Derive Key Request Payload .................................................................................................... 72 2307
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 162 of 176
Table 121: Derive Key Response Payload ................................................................................................. 73 2308 Table 122: Derivation Parameters Structure (Except PBKDF2) ................................................................. 73 2309 Table 123: PBKDF2 Derivation Parameters Structure ............................................................................... 74 2310 Table 124: Certify Request Payload ........................................................................................................... 74 2311 Table 125: Certify Response Payload ........................................................................................................ 75 2312 Table 126: Computing New Dates from Offset during Re-certify ................................................................ 75 2313 Table 127: Re-certify Attribute Requirements ............................................................................................. 76 2314 Table 128: Re-certify Request Payload ...................................................................................................... 76 2315 Table 129: Re-certify Response Payload ................................................................................................... 77 2316 Table 130: Locate Request Payload ........................................................................................................... 78 2317 Table 131: Locate Response Payload ........................................................................................................ 78 2318 Table 132: Check Request Payload ........................................................................................................... 79 2319 Table 133: Check Response Payload ......................................................................................................... 80 2320 Table 134: Get Request Payload ................................................................................................................ 81 2321 Table 135: Get Response Payload ............................................................................................................. 81 2322 Table 136: Get Attributes requestRequest Payload ................................................................................... 81 2323 Table 137: Get Attributes Response Payload ............................................................................................. 82 2324 Table 138: Get Attributes Request Payload ................................................................................................ 82 2325 Table 139: Get Attributes Response Payload ............................................................................................. 82 2326 Table 140: Get Attribute List Request Payload ........................................................................................... 82 2327 Table 141: Get Attribute List Response Payload ........................................................................................ 83 2328 Table 142: Add Attribute Request Payload ................................................................................................. 83 2329 Table 143: Add Attribute Response Payload .............................................................................................. 83 2330 Table 144: Modify Attribute Request Payload............................................................................................. 84 2331 Table 145: Modify Attribute Response Payload .......................................................................................... 84 2332 Table 146: Delete Attribute Request Payload ............................................................................................. 84 2333 Table 147: Delete Attribute Response Payload .......................................................................................... 84 2334 Table 148: Obtain Lease Request Payload ................................................................................................ 85 2335 Table 149: Obtain Lease Response Payload ............................................................................................. 85 2336 Table 150: Get Usage Allocation Request Payload .................................................................................... 86 2337 Table 151: Get Usage Allocation Response Payload ................................................................................. 86 2338 Table 152: Get Usage Allocation Request Payload .................................................................................... 86 2339 Table 153: Activate Request Payload ......................................................................................................... 86 2340 Table 154: Get Usage Allocation Response Payload ................................................................................. 86 2341 Table 155: Activate Request Payload ......................................................................................................... 87 2342 Table 156: Activate Response Payload ...................................................................................................... 87 2343 Table 157: Revoke Request Payload ......................................................................................................... 87 2344 Table 158: Revoke Response Payload ....................................................................................................... 87 2345 Table 159: Revoke Request Payload ......................................................................................................... 88 2346 Table 160: Revoke Response Payload ....................................................................................................... 88 2347 Table 161: Destroy Request Payload ......................................................................................................... 88 2348 Table 162: Destroy Response Payload ...................................................................................................... 88 2349
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 163 of 176
Table 163: Archive Request Payload .......................................................................................................... 89 2350 Table 164: Archive Response Payload ....................................................................................................... 89 2351 Table 165: Recover Request Payload ........................................................................................................ 89 2352 Table 166: Recover Response Payload ..................................................................................................... 89 2353 Table 167: Validate Request Payload ......................................................................................................... 90 2354 Table 168: Validate Response Payload ...................................................................................................... 90 2355 Table 169: Query Request Payload ............................................................................................................ 91 2356 Table 170: Query Response Payload ......................................................................................................... 91 2357 Table 171: Cancel Request Payload .......................................................................................................... 92 2358 Table 172: Cancel Response Payload ........................................................................................................ 92 2359 Table 173: Poll Request Payload ................................................................................................................ 92 2360 Table 174: Notify Message Payload ........................................................................................................... 93 2361 Table 175: Put Message Payload ............................................................................................................... 94 2362 Table 176: Protocol Version Structure in Message Header ........................................................................ 95 2363 Table 177: Operation in Batch Item ............................................................................................................ 95 2364 Table 178: Maximum Response Size in Message Request Header .......................................................... 96 2365 179: Unique Batch Item ID in Batch Item .................................................................................................... 96 2366 Table 180: Time Stamp in Message Header .............................................................................................. 96 2367 Table 181: Authentication Structure in Message Header ........................................................................... 97 2368 Table 182: Asynchronous Indicator in Message Request Header .............................................................. 97 2369 Table 183: Asynchronous Correlation Value in Response Batch Item ....................................................... 97 2370 Table 184: Result Status in Response Batch Item ..................................................................................... 98 2371 Table 185: Result Reason in Response Batch Item ................................................................................... 99 2372 Table 186: Result Message in Response Batch Item ................................................................................. 99 2373 Table 187: Batch Order Option in Message Request Header .................................................................... 99 2374 Table 188: Batch Error Continuation Option in Message Request Header .............................................. 100 2375 189: Batch Count in Message Header ...................................................................................................... 100 2376 Table 190: Batch Item in Message ........................................................................................................... 100 2377 Table 191: Message Extension Structure in Batch Item ........................................................................... 101 2378 Table 192: Request Message Structure ................................................................................................... 102 2379 Table 193: Response Message Structure ................................................................................................. 102 2380 Table 194: Request Header Structure ...................................................................................................... 103 2381 Table 195: Synchronous Request Header Structure ................................................................................ 103 2382 Table 196: Request Batch Item Structure ................................................................................................. 103 2383 Table 197: Response Header Structure ................................................................................................... 104 2384 Table 198: Synchronous Response Batch Item Structure ........................................................................ 104 2385 Table 199: Asynchronous Request Header Structure .............................................................................. 105 2386 Table 200: Asynchronous Request Batch Item Structure ......................................................................... 105 2387 Table 201: Asynchronous Response Header Structure ........................................................................... 106 2388 Table 202: Asynchronous Response Batch Item Structure ...................................................................... 106 2389 Table 203: Allowed Item Type Values ...................................................................................................... 108 2390 Table 204: Allowed Item Length Values ................................................................................................... 109 2391
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 164 of 176
Table 205: Tag Values .............................................................................................................................. 116 2392 Table 206: Credential Type Enumeration ................................................................................................. 116 2393 Table 207: Key Compression Type Enumeration ..................................................................................... 116 2394 Table 208: Key Format Type Enumeration ............................................................................................... 117 2395 Table 209: Wrapping Method Enumeration .............................................................................................. 117 2396 Table 210: Recommended Curve Enumeration for ECDSA, ECDH, and ECMQV .................................. 118 2397 Table 211: Certificate Type Enumeration ................................................................................................. 118 2398 Table 212: Split Key Method Enumeration ............................................................................................... 118 2399 Table 213: Secret Data Type Enumeration ............................................................................................... 119 2400 Table 214: Opaque Data Type Enumeration ............................................................................................ 119 2401 Table 215: Name Type Enumeration ........................................................................................................ 119 2402 Table 216: Object Type Enumeration ....................................................................................................... 119 2403 Table 217: Cryptographic Algorithm Enumeration .................................................................................... 120 2404 Table 218: Block Cipher Mode Enumeration ............................................................................................ 121 2405 Table 219: Padding Method Enumeration ................................................................................................ 121 2406 Table 220: Hashing Algorithm Enumeration ............................................................................................. 122 2407 Table 221: Key Role Type Enumeration ................................................................................................... 123 2408 Table 222: State Enumeration .................................................................................................................. 124 2409 Table 223: Revocation Reason Code Enumeration ................................................................................. 124 2410 Table 224: Link Type Enumeration ........................................................................................................... 124 2411 Table 225: Derivation Method Enumeration ............................................................................................. 125 2412 Table 226: Certificate Request Type Enumeration ................................................................................... 125 2413 Table 227: Validity Indicator Enumeration ................................................................................................ 125 2414 Table 228: Query Function Enumeration .................................................................................................. 126 2415 Table 229: Cancellation Result Enumeration ............................................................................................ 126 2416 Table 230: Put Function Enumeration ...................................................................................................... 126 2417 Table 231: Operation Enumeration ........................................................................................................... 127 2418 Table 232: Result Status Enumeration ..................................................................................................... 128 2419 Table 233: Result Reason Enumeration ................................................................................................... 128 2420 Table 234: Batch Error Continuation Enumeration ................................................................................... 129 2421 Table 235: Usage Limits Unit Enumeration .............................................................................................. 129 2422 Table 236: Cryptographic Usage Mask ..................................................................................................... 130 2423 Table 237: Storage Status Mask ............................................................................................................... 130 2424 Table 238: General Errors ......................................................................................................................... 133 2425 Table 239: Create Errors ........................................................................................................................... 134 2426 Table 240: Create Key Pair Errors ............................................................................................................ 134 2427 Table 241: Register Errors ........................................................................................................................ 135 2428 Table 242: Re-key Errors .......................................................................................................................... 136 2429 Table 243: Derive Key Errors-................................................................................................................... 136 2430 Table 244: Certify Errors ........................................................................................................................... 137 2431 Table 245: Re-certify Errors ...................................................................................................................... 137 2432 Table 246: Locate Errors ........................................................................................................................... 138 2433
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 165 of 176
Table 247: Check Errors ........................................................................................................................... 138 2434 Table 248: Get Errors ................................................................................................................................ 139 2435 Table 249: Get Attributes Errors ............................................................................................................... 139 2436 Table 250: Get Attribute List Errors .......................................................................................................... 139 2437 Table 251: Add Attribute Errors ................................................................................................................ 139 2438 Table 252: Modify Attribute Errors ............................................................................................................ 140 2439 Table 253: Delete Attribute Errors ............................................................................................................ 140 2440 Table 254: Obtain Lease Errors ................................................................................................................ 141 2441 Table 255: Get Usage Allocation Errors ................................................................................................... 141 2442 Table 256: Activate Errors ......................................................................................................................... 142 2443 Table 257: Revoke Errors ......................................................................................................................... 142 2444 Table 258: Destroy Errors ......................................................................................................................... 142 2445 Table 259: Archive Errors ......................................................................................................................... 142 2446 Table 260: Recover Errors ........................................................................................................................ 142 2447 Table 261: Validate Errors ........................................................................................................................ 143 2448 Table 262: Poll Errors ............................................................................................................................... 143 2449 Table 263: Batch Items Errors .................................................................................................................. 144 2450 Table 264: Attribute Cross-reference ........................................................................................................ 148 2451 Table 265: Tag Cross-reference ............................................................................................................... 154 2452 Table 266: Operation and Object Cross-reference ................................................................................... 155 2453 Table 1: Terminology .................................................................................................................................. 11 2454 Table 21: Attribute Object Structure ............................................................................................................ 15 2455 Table 32: Credential Object Structure ......................................................................................................... 16 2456 Table 4: Credential Value Structure for the Username and Password Credential ..................................... 16 2457 Table 53: Key Block Object Structure ......................................................................................................... 17 2458 Table 64: Key Value Object Structure ......................................................................................................... 18 2459 Table 75: Key Wrapping Data Object Structure .......................................................................................... 19 2460 Table 86: Encryption Key Information Object Structure .............................................................................. 19 2461 Table 97: MAC/Signature Key Information Object Structure ...................................................................... 19 2462 Table 108: Key Wrapping Specification Object Structure ........................................................................... 20 2463 Table 11: Parameter mapping. ................................................................................................................... 21 2464 Table 129: Key Material Object Structure for Transparent Symmetric Keys .............................................. 21 2465 Table 1310: Key Material Object Structure for Transparent DSA Private Keys ......................................... 22 2466 Table 1411: Key Material Object Structure for Transparent DSA Public Keys ........................................... 22 2467 Table 1512: Key Material Object Structure for Transparent RSA Private Keys ......................................... 22 2468 Table 1613: Key Material Object Structure for Transparent RSA Public Keys ........................................... 23 2469 Table 1714: Key Material Object Structure for Transparent DH Private Keys ............................................ 23 2470 Table 1815: Key Material Object Structure for Transparent DH Public Keys ............................................. 23 2471 Table 1916: Key Material Object Structure for Transparent ECDSA Private Keys .................................... 24 2472 Table 2017: Key Material Object Structure for Transparent ECDSA Public Keys ...................................... 24 2473 Table 2118: Key Material Object Structure for Transparent ECDH Private Keys ....................................... 24 2474 Table 2219: Key Material Object Structure for Transparent ECDH Public Keys ........................................ 24 2475
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 166 of 176
Table 2320: Key Material Object Structure for Transparent ECMQV Private Keys .................................... 25 2476 Table 2421: Key Material Object Structure for Transparent ECMQV Public Keys ..................................... 25 2477 Table 2522: Template-Attribute Object Structure ....................................................................................... 25 2478 Table 2623: Certificate Object Structure ..................................................................................................... 26 2479 Table 2724: Symmetric Key Object Structure ............................................................................................. 26 2480 Table 2825: Public Key Object Structure .................................................................................................... 26 2481 Table 2926: Private Key Object Structure ................................................................................................... 26 2482 Table 3027: Split Key Object Structure ....................................................................................................... 27 2483 Table 3128: Template Object Structure ...................................................................................................... 28 2484 Table 3229: Secret Data Object Structure .................................................................................................. 29 2485 Table 3330: Opaque Object Structure ........................................................................................................ 29 2486 Table 3431: Attribute Rules......................................................................................................................... 31 2487 Table 3532: Unique Identifier Attribute ....................................................................................................... 31 2488 Table 3633: Unique Identifier Attribute Rules ............................................................................................. 32 2489 Table 3734: Name Attribute Structure ........................................................................................................ 32 2490 Table 3835: Name Attribute Rules .............................................................................................................. 32 2491 Table 3936: Object Type Attribute .............................................................................................................. 33 2492 Table 4037: Object Type Attribute Rules .................................................................................................... 33 2493 Table 4138: Cryptographic Algorithm Attribute ........................................................................................... 33 2494 Table 4239: Cryptographic Algorithm Attribute Rules ................................................................................. 33 2495 Table 4340: Cryptographic Length Attribute ............................................................................................... 33 2496 Table 4441: Cryptographic Length Attribute Rules ..................................................................................... 34 2497 Table 4542: Cryptographic Parameters Attribute Structure ........................................................................ 34 2498 Table 4643: Cryptographic Parameters Attribute Rules ............................................................................. 34 2499 Table 4744: Key Role Types ....................................................................................................................... 35 2500 Table 4845: Cryptographic Domain Parameters Attribute Structure .......................................................... 36 2501 Table 4946: Cryptographic Domain Parameters Attribute Rules ................................................................ 36 2502 Table 5047: Certificate Type Attribute ........................................................................................................ 36 2503 Table 5148: Certificate Type Attribute Rules .............................................................................................. 36 2504 Table 5249: Certificate Identifier Attribute Structure ................................................................................... 37 2505 Table 5350: Certificate Identifier Attribute Rules ........................................................................................ 37 2506 Table 5451: Certificate Subject Attribute Structure ..................................................................................... 37 2507 Table 5552: Certificate Subject Attribute Rules .......................................................................................... 38 2508 Table 5653: Certificate Issuer Attribute Structure ....................................................................................... 38 2509 Table 5754: Certificate Issuer Attribute Rules ............................................................................................ 38 2510 Table 5855: Digest Attribute Structure ........................................................................................................ 39 2511 Table 5956: Digest Attribute Rules ............................................................................................................. 39 2512 Table 6057: Operation Policy Name Attribute ............................................................................................. 39 2513 Table 6158: Operation Policy Name Attribute Rules .................................................................................. 40 2514 Table 6259: Default Operation Policy for Secret Objects ........................................................................... 41 2515 Table 6360: Default Operation Policy for Certificates and Public Key Objects .......................................... 42 2516 Table 6461: Default Operation Policy for Private Template Objects .......................................................... 42 2517
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 167 of 176
Table 6562: Default Operation Policy for Public Template Objects ............................................................ 43 2518 Table 6663: X.509 Key Usage to Cryptographic Usage Mask Mapping .................................................... 44 2519 Table 6764: Cryptographic Usage Mask Attribute ...................................................................................... 44 2520 Table 6865: Cryptographic Usage Mask Attribute Rules ............................................................................ 44 2521 Table 6966: Lease Time Attribute ............................................................................................................... 44 2522 Table 7067: Lease Time Attribute Rules ..................................................................................................... 45 2523 Table 7168: Usage Limits Attribute Structure ............................................................................................. 45 2524 Table 7269: Usage Limits Attribute Rules ................................................................................................... 46 2525 Table 7370: State Attribute ......................................................................................................................... 47 2526 Table 7471: State Attribute Rules ............................................................................................................... 48 2527 Table 7572: Initial Date Attribute ................................................................................................................. 48 2528 Table 7673: Initial Date Attribute Rules ...................................................................................................... 48 2529 Table 7774: Activation Date Attribute ......................................................................................................... 49 2530 Table 7875: Activation Date Attribute Rules ............................................................................................... 49 2531 Table 7976: Process Start Date Attribute ................................................................................................... 49 2532 Table 8077: Process Start Date Attribute Rules ......................................................................................... 50 2533 Table 8178: Protect Stop Date Attribute ..................................................................................................... 50 2534 Table 8279: Protect Stop Date Attribute Rules ........................................................................................... 51 2535 Table 8380: Deactivation Date Attribute ..................................................................................................... 51 2536 Table 8481: Deactivation Date Attribute Rules ........................................................................................... 51 2537 Table 8582: Destroy Date Attribute ............................................................................................................. 51 2538 Table 8683: Destroy Date Attribute Rules .................................................................................................. 52 2539 Table 8784: Compromise Occurrence Date Attribute ................................................................................. 52 2540 Table 8885: Compromise Occurrence Date Attribute Rules ....................................................................... 52 2541 Table 8986: Compromise Date Attribute ..................................................................................................... 52 2542 Table 9087: Compromise Date Attribute Rules .......................................................................................... 53 2543 Table 9188: Revocation Reason Attribute Structure .................................................................................. 53 2544 Table 9289: Revocation Reason Attribute Rules ........................................................................................ 53 2545 Table 9390: Archive Date Attribute ............................................................................................................. 54 2546 Table 9491: Archive Date Attribute Rules ................................................................................................... 54 2547 Table 9592: Object Group Attribute ............................................................................................................ 54 2548 Table 9693: Object Group Attribute Rules .................................................................................................. 54 2549 Table 9794: Link Attribute Structure ........................................................................................................... 55 2550 Table 9895: Link Attribute Structure Rules ................................................................................................. 55 2551 Table 9996: Application Specific Information Attribute ............................................................................... 56 2552 Table 10097: Application Specific Information Attribute Rules ................................................................... 56 2553 Table 10198: Contact Information Attribute ................................................................................................ 56 2554 Table 10299: Contact Information Attribute Rules ...................................................................................... 57 2555 Table 103100: Last Change Date Attribute ................................................................................................. 57 2556 Table 104101: Last Change Date Attribute Rules ...................................................................................... 57 2557 Table 105102 Custom Attribute .................................................................................................................. 58 2558 Table 106103: Custom Attribute Rules ....................................................................................................... 58 2559
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 168 of 176
Table 107104: Create Request Payload ..................................................................................................... 60 2560 Table 108105: Create Response Payload .................................................................................................. 60 2561 Table 109106: Create Attribute Requirements ........................................................................................... 60 2562 Table 110107: Create Key Pair Request Payload ...................................................................................... 61 2563 Table 111108: Create Key Pair Response Payload ................................................................................... 61 2564 Table 112109: Create Key Pair Attribute Requirements ............................................................................. 62 2565 Table 113110: Register Request Payload .................................................................................................. 62 2566 Table 114111: Register Response Payload ............................................................................................... 63 2567 Table 115112: Register Attribute Requirements ......................................................................................... 63 2568 Table 116113: Computing New Dates from Offset during Re-key.............................................................. 64 2569 Table 117114: Re-key Attribute Requirements ........................................................................................... 64 2570 Table 118115: Re-key Request Payload .................................................................................................... 65 2571 Table 119116: Re-key Response Payload ................................................................................................. 65 2572 Table 120117: Derive Key Request Payload .............................................................................................. 66 2573 Table 121118: Derive Key Response Payload ........................................................................................... 67 2574 Table 122119: Derivation Parameters Structure (Except PBKDF2) ........................................................... 67 2575 Table 123120: PBKDF2 Derivation Parameters Structure ......................................................................... 68 2576 Table 124121: Certify Request Payload ..................................................................................................... 68 2577 Table 125122: Certify Response Payload .................................................................................................. 69 2578 Table 126123: Computing New Dates from Offset during Re-certify ......................................................... 69 2579 Table 127124: Re-certify Attribute Requirements ....................................................................................... 70 2580 Table 128125: Re-certify Request Payload ................................................................................................ 70 2581 Table 129126: Re-certify Response Payload ............................................................................................. 71 2582 Table 130127: Locate Request Payload ..................................................................................................... 72 2583 Table 131128: Locate Response Payload .................................................................................................. 72 2584 Table 132129: Check Request Payload ..................................................................................................... 73 2585 Table 133130: Check Response Payload ................................................................................................... 74 2586 Table 134131: Get Request Payload .......................................................................................................... 74 2587 Table 135132: Get Response Payload ....................................................................................................... 75 2588 Table 133: Get Attributes requestRequest Payload ................................................................................... 75 2589 Table 134: Get Attributes Response Payload ............................................................................................. 75 2590 Table 136135: Get Attributes Request Payload ......................................................................................... 76 2591 Table 137136: Get Attributes Response Payload ....................................................................................... 76 2592 Table 138: Get Attribute List Request Payload ........................................................................................... 76 2593 Table 139: Get Attribute List Response Payload ........................................................................................ 76 2594 Table 140137: Add Attribute Request Payload ........................................................................................... 77 2595 Table 141138: Add Attribute Response Payload ........................................................................................ 77 2596 Table 142139: Modify Attribute Request Payload ...................................................................................... 77 2597 Table 143140: Modify Attribute Response Payload .................................................................................... 77 2598 Table 144141: Delete Attribute Request Payload ....................................................................................... 78 2599 Table 145142: Delete Attribute Response Payload .................................................................................... 78 2600 Table 146143: Obtain Lease Request Payload .......................................................................................... 78 2601
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 169 of 176
Table 147144: Obtain Lease Response Payload ....................................................................................... 79 2602 Table 145: Get Usage Allocation Request Payload .................................................................................... 79 2603 Table 146: Get Usage Allocation Response Payload ................................................................................. 79 2604 Table 148: Get Usage Allocation Request Payload .................................................................................... 80 2605 Table 147: Activate Request Payload ......................................................................................................... 80 2606 Table 149148: Get Usage Allocation Response Payload ........................................................................... 80 2607 Table 150: Activate Request Payload ......................................................................................................... 80 2608 Table 151: Activate Response Payload ...................................................................................................... 80 2609 Table 149: Revoke Request Payload ......................................................................................................... 81 2610 Table 150: Revoke Response Payload ....................................................................................................... 81 2611 Table 152151: Revoke Request Payload ................................................................................................... 81 2612 Table 153152: Revoke Response Payload ................................................................................................. 81 2613 Table 154: Destroy Request Payload ......................................................................................................... 82 2614 Table 155: Destroy Response Payload ...................................................................................................... 82 2615 Table 156153: Archive Request Payload .................................................................................................... 82 2616 Table 157154: Archive Response Payload ................................................................................................. 82 2617 Table 158155: Recover Request Payload .................................................................................................. 83 2618 Table 159156: Recover Response Payload ............................................................................................... 83 2619 Table 160157: Validate Request Payload ................................................................................................... 83 2620 Table 161158: Validate Response Payload ................................................................................................ 83 2621 Table 162159: Query Request Payload ...................................................................................................... 84 2622 Table 163160: Query Response Payload ................................................................................................... 84 2623 Table 164161: Cancel Request Payload .................................................................................................... 85 2624 Table 165162: Cancel Response Payload .................................................................................................. 85 2625 Table 166163: Poll Request Payload .......................................................................................................... 85 2626 Table 167164: Notify Message Payload ..................................................................................................... 86 2627 Table 168165: Put Message Payload ......................................................................................................... 87 2628 Table 169166: Protocol Version Structure in Message Header .................................................................. 88 2629 Table 170167: Operation in Batch Item ...................................................................................................... 88 2630 Table 171168: Maximum Response Size in Message Request Header .................................................... 88 2631 172169: Unique Batch Item ID in Batch Item .............................................................................................. 89 2632 Table 173170: Time Stamp in Message Header ........................................................................................ 89 2633 Table 174171: Authentication Structure in Message Header ..................................................................... 89 2634 Table 175172: Asynchronous Indicator in Message Request Header ....................................................... 89 2635 Table 176173: Asynchronous Correlation Value in Response Batch Item ................................................. 90 2636 Table 177174: Result Status in Response Batch Item ............................................................................... 90 2637 Table 178175: Result Reason in Response Batch Item ............................................................................. 91 2638 Table 179176: Result Message in Response Batch Item ........................................................................... 91 2639 Table 180177: Batch Order Option in Message Request Header .............................................................. 91 2640 Table 181178: Batch Error Continuation Option in Message Request Header .......................................... 92 2641 182179: Batch Count in Message Header .................................................................................................. 92 2642 Table 183180: Batch Item in Message ....................................................................................................... 92 2643
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 170 of 176
Table 184181: Message Extension Structure in Batch Item ....................................................................... 93 2644 Table 185182: Request Message Structure ............................................................................................... 94 2645 Table 186183: Response Message Structure ............................................................................................. 94 2646 Table 187: Request Header Structure ........................................................................................................ 94 2647 Table 184: Synchronous Request Header Structure .................................................................................. 94 2648 Table 188185: Request Batch Item Structure ............................................................................................. 95 2649 Table 189186: Response Header Structure ............................................................................................... 95 2650 Table 187: Synchronous Response Batch Item Structure .......................................................................... 95 2651 Table 188: Asynchronous Request Header Structure ................................................................................ 96 2652 Table 189: Asynchronous Request Batch Item Structure ........................................................................... 96 2653 Table 190: Asynchronous Response Header Structure ............................................................................. 96 2654 Table 191: Asynchronous Response Batch Item Structure ........................................................................ 97 2655 Table 191192: Allowed Item Type Values .................................................................................................. 99 2656 Table 192193: Allowed Item Length Values ............................................................................................. 100 2657 Table 193194: Tag Values ........................................................................................................................ 106 2658 Table 194195: Credential Type Enumeration ........................................................................................... 107 2659 Table 195196: Key Compression Type Enumeration ............................................................................... 107 2660 Table 196197: Key Format Type Enumeration ......................................................................................... 108 2661 Table 197198: Wrapping Method Enumeration ........................................................................................ 108 2662 Table 198199: Recommended Curve Enumeration for ECDSA, ECDH, and ECMQV ............................ 109 2663 Table 199200: Certificate Type Enumeration ........................................................................................... 109 2664 Table 200201: Split Key Method Enumeration ......................................................................................... 109 2665 Table 201202: Secret Data Type Enumeration ......................................................................................... 110 2666 Table 202203: Opaque Data Type Enumeration ...................................................................................... 110 2667 Table 203204: Name Type Enumeration .................................................................................................. 110 2668 Table 204205: Object Type Enumeration ................................................................................................. 110 2669 Table 205206: Cryptographic Algorithm Enumeration .............................................................................. 111 2670 Table 206207: Block Cipher Mode Enumeration ...................................................................................... 112 2671 Table 207208: Padding Method Enumeration .......................................................................................... 112 2672 Table 208209: Hashing Algorithm Enumeration ....................................................................................... 113 2673 Table 209210: Key Role Type Enumeration ............................................................................................. 114 2674 Table 210211: State Enumeration ............................................................................................................ 115 2675 Table 211212: Revocation Reason Code Enumeration ........................................................................... 115 2676 Table 212213: Link Type Enumeration ..................................................................................................... 115 2677 Table 213214: Derivation Method Enumeration ....................................................................................... 116 2678 Table 214215: Certificate Request Type Enumeration ............................................................................. 116 2679 Table 215216: Validity Indicator Enumeration .......................................................................................... 116 2680 Table 216217: Query Function Enumeration ............................................................................................ 117 2681 Table 217218: Cancellation Result Enumeration ..................................................................................... 117 2682 Table 218219: Put Function Enumeration ................................................................................................ 117 2683 Table 219220: Operation Enumeration ..................................................................................................... 118 2684 Table 220221: Result Status Enumeration ............................................................................................... 119 2685
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 171 of 176
Table 221222: Result Reason Enumeration ............................................................................................. 119 2686 Table 222223: Batch Error Continuation Enumeration ............................................................................. 120 2687 Table 223: Usage Limits Unit Enumeration .............................................................................................. 120 2688 Table 224: Cryptographic Usage Mask ..................................................................................................... 121 2689 Table 225: Storage Status Mask ............................................................................................................... 121 2690 Table 226: General Errors ......................................................................................................................... 124 2691 Table 227: Create Errors ........................................................................................................................... 125 2692 Table 228: Create Key Pair Errors ............................................................................................................ 125 2693 Table 229: Register Errors ........................................................................................................................ 126 2694 Table 230: Re-key Errors .......................................................................................................................... 127 2695 Table 231: Derive Key Errors-................................................................................................................... 127 2696 Table 232: Certify Errors ........................................................................................................................... 128 2697 Table 233: Re-certify Errors ...................................................................................................................... 128 2698 Table 234: Locate Errors ........................................................................................................................... 129 2699 Table 235: Check Errors ........................................................................................................................... 129 2700 Table 236: Get Errors ................................................................................................................................ 129 2701 Table 237: Get Attributes Errors ............................................................................................................... 130 2702 Table 238: Get Attribute List Errors .......................................................................................................... 130 2703 Table 239: Add Attribute Errors ................................................................................................................ 130 2704 Table 240: Modify Attribute Errors ............................................................................................................ 131 2705 Table 241: Delete Attribute Errors ............................................................................................................ 131 2706 Table 242: Obtain Lease Errors ................................................................................................................ 132 2707 Table 243: Get Usage Allocation Errors ................................................................................................... 132 2708 Table 244: Activate Errors ......................................................................................................................... 132 2709 Table 245: Revoke Errors ......................................................................................................................... 133 2710 Table 246: Destroy Errors ......................................................................................................................... 133 2711 Table 247: Archive Errors ......................................................................................................................... 133 2712 Table 248: Recover Errors ........................................................................................................................ 133 2713 Table 249: Validate Errors ........................................................................................................................ 134 2714 Table 250: Poll Errors ............................................................................................................................... 134 2715 Table 251: Batch Items Errors .................................................................................................................. 134 2716 Table 252: Attribute Cross-reference ........................................................................................................ 138 2717 Table 253: Tag Cross-reference ............................................................................................................... 143 2718 Table 254: Operation and Object Cross-reference ................................................................................... 144 2719 2720
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 172 of 176
F. Acknowledgements 2721
The following individuals have participated in the creation of this specification and are gratefully 2722 acknowledged: 2723
Original Authors of the initial contribution: 2724 David Babcock, HP 2725 Steven Bade, IBM 2726 Paolo Bezoari, NetApp 2727 Mathias Björkqvist, IBM 2728 Bruce Brinson, EMC 2729 Christian Cachin, IBM 2730 Tony Crossman, Thales/nCipher 2731 Stan Feather, HP 2732 Indra Fitzgerald, HP 2733 Judy Furlong, EMC 2734 Jon Geater, Thales/nCipher 2735 Bob Griffin, EMC 2736 Robert Haas, IBM (editor) 2737 Timothy Hahn, IBM 2738 Jack Harwood, EMC 2739 Walt Hubis, LSI 2740 Glen Jaquette, IBM 2741 Jeff Kravitz, IBM (editor emeritus) 2742 Michael McIntosh, IBM 2743 Brian Metzger, HP 2744 Anthony Nadalin, IBM 2745 Elaine Palmer, IBM 2746 Joe Pato, HP 2747 René Pawlitzek, IBM 2748 Subhash Sankuratripati, NetApp 2749 Mark Schiller, HP 2750 Martin Skagen, Brocade 2751 Marcus Streets, Thales/nCipher 2752 John Tattan, EMC 2753 Karla Thomas, Brocade 2754 Marko Vukolić, IBM 2755 Steve Wierenga, HP 2756
Participants: 2757 2758 Mike Allen, PGP Corporation 2759 Gordon Arnold, IBM 2760 Todd Arnold, IBM 2761 Matthew Ball, Oracle CorporationSun Microsystems 2762 Elaine Barker, NIST 2763 Peter Bartok, Venafi, Inc. 2764 Mathias Björkqvist, IBM 2765 Kevin Bocek, Thales e-Security 2766 Kelley Burgin, National Security Agency 2767 Jon Callas, PGP Corporation 2768 Tom Clifford, Symantec Corp. 2769 Graydon Dodson, Lexmark International Inc. 2770 Chris Dunn, SafeNet, Inc. 2771 Paul Earsy, SafeNet, Inc. 2772 Stan Feather, Hewlett-PackardHP 2773
Formatted: Indent: First line: 36 pt
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 173 of 176
Indra Fitzgerald, Hewlett-PackardHP 2774 Alan Frindell, SafeNet, Inc. 2775 Judith Furlong, EMC Corporation 2776 Jonathan Geater, Thales e-Security 2777 Robert Griffin, EMC Corporation 2778 Robert Haas, IBM 2779 Thomas Hardjono, M.I.T. 2780 Kurt Heberlein, 3PAR, Inc. 2781 Marc Hocking, BeCrypt Ltd. 2782 Larry Hofer, Emulex Corporation 2783 Brandon Hoff, Emulex Corporation 2784 Walt Hubis, LSI Corporation 2785 Wyllys Ingersoll, Oracle CorporationSun Microsystems 2786 Jay Jacobs, Target Corporation 2787 Glen Jaquette, IBM 2788 Scott Kipp, Brocade Communications Systems, Inc. 2789 David Lawson, Emulex Corporation 2790 Hal Lockhart, Oracle Corporation 2791 Robert Lockhart, Thales e-Security 2792 Shyam Mankala, EMC Corporation 2793 Upendra Mardikar, PayPal Inc. 2794 Marc Massar, Individual 2795 Don McAlister, AssociateCipheroptics 2796 Hyrum Mills, Mitre Corporation 2797 Bob Nixon, Emulex Corporation 2798 Landon Curt Noll, Cisco Systems, Inc. 2799 René Pawlitzek, IBM 2800 Rob Philpott, EMC Corporation 2801 Scott Rea, Individual 2802 Bruce Rich, IBM 2803 Scott Rotondo, Oracle CorporationSun Microsystems 2804 Saikat Saha, Vormetric, Inc. 2805 Anil Saldhana, Red Hat 2806 Subhash Sankuratripati, NetApp 2807 Mark Schiller, Hewlett-PackardHP 2808 Jitendra Singh, Brocade Communications Systems, Inc. 2809 Servesh Singh, EMC Corporation 2810 Terence Spies, Voltage Security 2811 Sandy Stewart, Oracle CorporationSun Microsystems 2812 Marcus Streets, Thales e-Security 2813 Brett Thompson, SafeNet, Inc. 2814 Benjamin Tomhave, Individual 2815 Sean Turner, IECA, Inc. 2816 Paul Turner, Venafi, Inc. 2817 Marko VukolićVukolic, IBM 2818 Rod Wideman, Quantum Corporation 2819 Steven Wierenga, Hewlett-PackardHP 2820 Peter Yee, EMC Corporation 2821 Krishna Yellepeddy, IBM 2822 Peter Zelechoski, Election Systems & Software 2823 Grace Zhang, Skyworth TTG Holdings Limited 2824
2825
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 174 of 176
G. Revision History 2826
Revision Date Editor Changes Made
ed-0.98 2009-04-24 Robert Haas Initial conversion of input document to OASIS format together with clarifications.
ed-0.98 2009-05-21 Robert Haas Changes to TTLV format for 64-bit alignment. Appendices indicated as non normative.
ed-0.98 2009-06-25 Robert Haas, Indra Fitzgerald
Multiple editorial and technical changes, including merge of Template and Policy Template.
ed-0.98 2009-07-23 Robert Haas, Indra Fitzgerald
Multiple editorial and technical changes, mainly based on comments from Elaine Barker and Judy Furlong. Fix of Template Name.
ed-0.98 2009-07-27 Indra Fitzgerald Added captions to tables and figures.
ed-0.98 2009-08-27 Robert Haas Wording compliance changes according to RFC2119 from Rod Wideman. Removal of attribute mutation in server responses.
ed-0.98 2009-09-03 Robert Haas Incorporated the RFC2119 language conformance statement from Matt Ball; the changes to the Application-Specific Information attribute from René Pawlitzek; the extensions to the Query operation for namespaces from Mathias Björkqvist; the key roles proposal from Jon Geater, Todd Arnold, & Chris Dunn. Capitalized all RFC2119 keywords (required by OASIS) together with editorial changes.
ed-0.98 2009-09-17 Robert Haas Replaced Section 10 on HTTPS and SSL with the content from the User Guide. Additional RFC2119 language conformance changes. Corrections in the enumerations in Section 9.
ed-0.98 2009-09-25 Indra Fitzgerald, Robert Haas
New Cryptographic Domain Parameters attribute and change to the Create Key Pair operation (from Indra Fitzgerald). Changes to Key Block object and Get operation to request desired Key Format and Compression Types (from Indra Fitzgerald). Changes in Revocation Reason code and new Certificate Issuer attribute (from Judy Furlong). No implicit object state change after Re-key or Re-certify. New Section 13 on Implementation Conformance from Matt Ball. Multiple editorial changes and new enumerations.
ed-0.98 2009-09-29 Robert Haas (Version edited during the f2f) Moved content of Sections 8 (Authentication) and 10 (Transport), into the KMIP Profiles Specification. Clarifications (from Sean Turner) on key encoding (for Byte String) in 9.1.1.4. Updates for certificate update and renewal (From Judy
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 175 of 176
Furlong) First set of editorial changes as suggested by Elaine Barker (changed Octet to Byte, etc). (version approved as TC Committee Draft on Sep 29 2009, counts as draft-01 version)
draft-02 2009-10-09 Robert Haas, Indra Fitzgerald
Second set of editorial changes as suggested by Elaine Barker (incl. renaming of “Last Change Date” attribute). Added list of references from Sean Turner and Judy Furlong, as well as terminology. Made Result Reasons in error cases (Sec 11) normative. Added statement on deletion of attributes by server (line 457). Added major/minor 1.0 for protocol version (line 27). Systematic use of italics when introducing a term for first time. Added “Editor’s note” comments remaining to be addressed before public review.
draft-03 2009-10-14 Robert Haas, Indra Fitzgerald
Addressed outstanding “Editor’s note” comments. Added acronyms and references.
draft-04 2009-10-21 Robert Haas, Indra Fitzgerald
Added the list of participants (Appendix F). Point to the KMIP Profiles document for a list standard application namespaces. Added Terminology (from Bob Lockhart, borrowed from SP800-57 Part 1). Modified title page.
draft-05 2009-11-06 Robert Haas Additions to the tags table. Added Last Change Date attribute to conformance clause (sec 12.1). Minor edits. This is the tentative revision for public review.
draft-06 2009-11-09 Robert Haas Editorial fixes to the reference sections. Correction of the comments for the Unique Batch Item ID in the Response Header structures (from Steve Wierenga). Version used for Public Review 01.
draft-07 2010-02-04 Robert Haas Editorial fixes according to Elaine Barker’s comments. Comments for which the proposed resolution is “No Change” are indicated accordingly. Open issues marked with “TBD” and possible Usage Guide items are marked with “UG”.
draft-08 2010-03-02 Robert Haas, Indra Fitzgerald
Incorporated TC and non-TC editorial and technical comments from the public review: Simplified Usage Limits attribute, added Template as a third parameter to Register, restricted custom attributes to have at most one level of structures (Matt Ball). Incorporated ballot changes towards server-to-server support, extended Get Attributes to allow returning all attributes, clarified Operation Policy Name attribute (Marko Vukolic). Clarified Transparent Key Structures (Judy Furlong). Clarified Cryptographic Domain Parameters and Create Key Pair (Elaine Barker).
draft-09 2010-03-15 Robert Haas, Indra Fitzgerald
Revised Credential object to specify Username and Password (Matt Ball). Clarified Transparent Key section with new parameter-mapping table (Indra Fitzgerald). Clarified Digest attribute description. Renamed Role Type to Key Role Type. Editorial fixes.
draft-10 2010-03-18 Robert Haas Updated participants’ list. Editorial fixes.
kmip-spec-1.0-cd-10 18 March 2010 Copyright © OASIS® 2010. All Rights Reserved. Page 176 of 176
2827